In the world of phishing, there’s a new(ish) player in the game. A survey conducted by Ivanti revealed that in 2021, 57% of people surveyed claimed they were increasingly using QR codes each day. 87% of those asked also claimed they felt secure proceeding with monetary transactions via QR codes - but are they safe?
Firstly, how do QR codes work? QR codes have a similar formula to the barcodes that we use in supermarkets. This is because they’re the next generation of barcodes, and the technical term for them is “2D barcode.” The main difference is that 2D barcodes, or QR codes, can contain up to 100 times the amount of data that a 1D barcode can.
Realistically, anybody can create a QR code containing:
• Virtual identity cards
• Cryptocurrency wallet information
• Social media account links Direct links to application downloads (which could open you up to attacks from malware such as BRATA)
• Online account authentication
• Payment information
• And much more, including up to 4,000 characters of text
With such a broad range of uses, a malicious actor has plenty of opportunities to exploit QR codes, and there’s little that the end user can do about it. For example, an attacker can compromise a trusted site and replace a QR code that you’d normally trust with your payment information, making you send your money to the wrong person. This is just one of the many examples in which a QR code can be misused, and the sky is potentially the limit thanks to the ever-evolving methods of online criminals.
What could this mean for you?
The rise in the malicious use of QR codes, in conjunction with the increased use of the technology, means that there’s now another thing that users must look out for to ensure that their information is secure. If you manage the security for organisations, you may have to educate your employees about the security risks of QR codes - and if you utilise them within your operations, it would be beneficial to your integrity to regularly check the QR codes used by the organisation, to ensure that they send or retrieve the intended data.
For both individuals and organisations, this doesn’t mean that every QR code you come across in the wild will be malicious and try to steal all your data. However, that doesn’t mean you should be oblivious to the potential risk. Malicious actors continue to become more sophisticated at the same speed as security professionals, if not faster - meaning that your security solution alone might not be enough to protect you completely. That’s why we recommend considering these precautions to minimise your chances of falling the victim of this style of attack:
• Take considerable caution whenever downloading an app derived from a QR code
• If the code is a physical image, ensure that it hasn’t been tampered with - malicious actors have been known to put their own QR codes over genuine ones to deceive users
• Use the QR scanning app built into your device’s camera rather than obtaining one from an App Store, as this is an increased attack vector for your device
• Make sure to double-check the URL seen in the preview of the QR code, and don’t proceed if you believe it to be malicious
• Try to abstain from making any payments via a QR code where possible
• Try to confirm wherever you can that the identity of the QR code’s sender is genuine
How can we help protect you?
Our partners at Lookout provide a bespoke Mobile Endpoint Security solution, which offers an array of endpoint security services, including phishing detection. Lookout can identify potentially malicious URLs and stop the end user from interacting with them. The user will be identified of the mitigated threat, and Lookout will alert the organisation of the activity - but won’t provide the exact URL to the organisation, as the privacy of the end user is kept in mind.
Along with Lookout, we at Cyber Security Associates also offer a host of other Mobile Endpoint Security capabilities, including Breach and Data protection. To find out more, you can watch our free Lookout webinar featuring CSA’s Technical Director, James Griffiths, and FluidOne’s Mobile Commercial Director, Ash Morarji, today. You can also get in touch with us for guidance or advice on all aspects of cyber security, from monitoring and detection to training.