A Quick Response (QR) Code is a kind of barcode made up of a pattern of dots and lines. It can be read using a QR scanner or a smartphone camera. Once scanned, the device changes the dots and lines in the code into numbers or a string of characters. For instance, scanning a QR code with your phone may open a URL in your phone’s web browser. All QR codes are square and feature three square outlines in the bottom-left, top-left, and top-right corners. These outlines help determine the code’s orientation.
QR codes gained a lot of popularity during the COVID-19 pandemic. Many restaurants and bars now use QR codes for their menus to lessen virus spread and cut down on the work needed to clean regular physical menus. QR codes are also used in education for student assignments, on luggage tags, for emergency contact details on medical alert bracelets, on pet ID tags, and even for family histories on gravestones. With all these great benefits, have hackers figured out how to misuse this technology?
What does this mean for an SMB?
Of course, hackers have turned QR Codes into magical hacking tools! Hackers embed malicious URLs containing malware into a QR code which, when scanned, attempts to exfiltrate your data from your compromised mobile device. Other hackers embed a malicious URL in a QR code which directs you to a phishing site, where unaware users disclose personal or financial information.
Because humans cannot read QR codes, it’s easy for attackers to alter a QR code to point to an alternative resource without being detected. While many people are aware that QR codes can open a URL, they can be less aware of the other actions that QR codes can initiate on a user’s device.
A typical attack involves placing malicious QR codes in public, sometimes covering up legitimate QR codes. Unsuspecting users who scan the code are taken to a malicious web page which could host an exploit kit, leading to device compromise or a spoofed login page to steal user credentials. QR Codes were used for mobile payments on a ride-sharing provider until hackers substituted their payment system with a fake QR Code and simply stuck it on top of the vendor’s original payment QR Code. Don’t use QR Codes for critical transactions such as receiving payments.
Once you know about these QR Code attacks you can use them carefully when dining, to check on a medical alert bracelet in an emergency, or even to find the owner of a lost pet. Follow CyberHoot’s recommendations below to reduce the likelihood of falling victim to a QR code scam.
- If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double-check to ensure the domain name is perfectly correct watching for look-alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
- If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
- If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
- If a vendor uses QR Codes for payments, kindly decline. There are enough alternative payment methods available for receiving payments that CyberHoot does not recommend using QR codes in this way. Ask for an alternative.
Sources: