Today’s technology provides hackers countless ways to gain unauthorized access to private and sensitive information. News of breaches and cyberattacks are far too common and over the past two years over 100 million Americans have been impacted. Cybercriminals have found yet another way to hack into systems. Quick Response (QR) codes pose security risks that many people are unaware of. If your company is using QR codes, implementation of security measures such as keeping them updated is paramount.
Heinz is one large company that learned this lesson the hard way. You may recall back in 2015 when the Heinz QR code was directing users to an inappropriate site. As it turned out, Heinz did not renew their registration of the domain name. BBC News reports that once their domain name was available another party started using it. The QR code was intended to direct users to a site where they could design their own label for a bottle of ketchup as part of a promotion but instead users landed on a completely different and inappropriate website.
The problem does not end there. QR codes have also been used as part of phishing attacks also known as “QRishing”. They are an ideal attack method for cybercriminals because the human eye cannot differentiate a malicious QR code versus a legitimate one.
What are QR Codes?
QR codes are matrix bar codes that commonly allow consumers to gain access to special coupons, visit company websites, receive special offers or learn more about products/services. When a QR code reader application is installed, a consumer can simply point a smartphone's camera at the code to scan and decode the message contained in the QR code box.
QR Codes are Still Relevant
Although QR codes may not be the hottest marketing trend anymore, they are still widely available and used. According to QRStuff, 53% of American smartphone users say they have scanned a QR code. Convenience rules and the fact of the matter is that QR codes save consumers the hassle of writing down a web address or other useful information. Consumers can simply scan the QR code with their code reader application and have what they need at their fingertips.
Companies are placing them in various locations including: product packaging, movie posters, magazines, business cards, billboards and even on the sides of buildings for marketing purposes.
All Square Roots recently used a QR code on their packaging to gain consumers’ trust by sharing the story of their food production. This came at a crucial time when there was a widespread E.coli outbreak resulting in the recall of romaine lettuce from specific vendors.
Clearly, QR codes are still in use and have become an attack vector. Below you will find four important risks to be aware of and the security measures that can be put into action to protect yourself or your company from a cyber incident.
Four Attack Methods
First, criminals can inject your phone with malware. This direct approach requires nothing more than an unsuspecting consumer or employee to scan a QR code out of curiosity leading to an infected website. Just visiting the infected website can trigger a malicious download. One example of how they might deliver this attack method is to send the QR code in an email that appears to be legitimate enticing the user to scan it.
Second, the attacker leads you to a phishing site to steal your credentials or to gain access to your private information on your mobile device. Phishing websites can be very hard to detect. They use a similar looking Universal Resource Locator (URL) to a trusted website. Another approach is to change the domain extension. For example, they change the ".org" to ".com". Other times, there is a slight change in the spelling of the URL. Just one of these small changes allows the attacker to fool the user by creating a very similar web address in appearance.
Once the user or your employee visits the phishing site, username/login credentials are requested. After the attacker has your login, the rest is history. They can access your accounts, make changes, see private information and cause irreversible damage to your company name.
Third, cybercriminals can print out free encoding tools on the internet to make QR codes. They print the QR code on adhesive paper and place it over a legitimate QR code or they can email a malicious QR code to an unsuspecting consumer.
Fourth, there's always the risk that an attacker finds a bug in a code reader application that could result in the exploitation of cameras and/or sensors in phones or other devices.
The truth is many of us are curious individuals and may be tempted to scan a QR code just to see what it is. People wonder if it will bring them to a website, a coupon or a code for a free product. Many do not take the time to consider the fact that this action might have huge consequences such as injecting malware on either their company-owned or personal devices.
Four Security Measures
First, promote security awareness within your organization. Talk to your employees about different risks and attack methods being used. Educated employees are less likely to fall victim to an attack at both the work place and in their personal environment.
Second, when possible, feel the QR code to see if a sticker has been applied over the original and legitimate QR code.
Third, only use a QR reader application with built-in security features. Understand that some QR reader apps are more secure than others. Important features to look for include showing the content of the link before it is visited and checking the link against a database of known malicious links.
Fourth, if you find a malicious QR code, report it to the owner of the business where you discovered it.
New technology brings new vulnerabilities, creating a need for ongoing awareness and cybersecurity education. Fully training employees enhances your security posture and as an added bonus protects them personally.
Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes. Click here for more information on accessing a free security awareness training or phishing demo.