We've previously discussed the risks of using QR codes but felt it would be a good idea to reiterate since they’ve made a comeback during the Covid pandemic. QR codes have become increasingly more popular throughout the world due to their non-physical contact nature. Many companies are utilizing QR codes to create a more contact-free environment for their customers. So, instead of your server providing physical menus, they may request that you scan a QR code with your phone to access a virtual menu. Some retail stores are even using QR codes as a payment method so that customers do not have to touch a card reader. While QR codes are convenient, they come with risks, as many hackers are utilizing QR codes to steal information.
There are three main ways that hackers are using QR codes to steal user information. The first attack is to embed a malicious URL into the QR code. Once scanned, the QR code will direct users to a URL containing malware meant to steal their data. Another common exploitation is to have the QR code redirect the user to a fake website demanding credentials. That could be a social media login page, a bank login page, or an email login page. Once a user enters their credentials, the credentials get sent to the hacker. Besides these two forms of attacks, QR codes can also be used to carry out other malicious activities. Many users are unaware of the power behind QR codes. QR codes can be used to open applications on a user’s phone, change settings, send a text message, and more. Unfortunately, once the code is scanned, there is very little the user can do to prevent automated actions from occurring. The final attack method is to place a fake QR code over a real one. Especially at restaurants, this is very easy to do. An attacker can easily place a malicious QR code over the real QR code provided by the restaurant. Once a customer scans the QR code, they will be directed to a malicious website.
There are several ways to protect yourself from a malicious QR code:
Examine the QR code before scanning it
While this may seem obvious, many people scan QR codes without questioning whether they might be malicious. Whenever using a public QR code, make sure that it isn't taped over another QR code and that it has not been tampered with in any way.
Only scan trusted QR codes
Never scan a QR code if you are not sure that it is safe. Sometimes websites have QR codes posted that turn out to be malicious. QR codes are posted all over the internet containing malicious links. The best way to prevent scanning a malicious QR code is by only scanning codes that are known to be safe. When in doubt, verify that the website containing the QR code is valid and try to avoid scanning these QR codes unless necessary.
Never use a QR code to login to a website or application
As previously mentioned, malicious QR codes will often redirect the user to a fake website asking for credentials. These fake websites can be set up to look like a social media login page, an email login page, etc. If you ever scan a QR code that demands you login using credentials, do not enter your credentials and exit the website. Make sure to also alert anyone else who might scan the QR code.
While QR codes can be used to make things more convenient, they can also be used maliciously. It is important to be able to recognize a malicious QR code and to never enter any important information when using a QR code. Make sure to only scan trusted QR codes and consult a security expert when in doubt.
Written by Blake Potter
Blake Potter is a Cyber Security Intern at TechGuard Security where he assists with security related tasks. He is currently a senior at Maryville University studying Cyber Security and plans on becoming a security analyst once he graduates. Blake has a background in IT Support, customer service, and Cyber Security support. In his free time, Blake enjoys working out, playing sports, and spending time with friends and family.