QR codes have become an integral part of our lives, offering convenient ways to access information, connect with businesses, and make transactions. However, with the rise in popularity of QR codes comes an increased risk of abuse by malicious actors seeking to exploit unsuspecting users. In this post, we’ll explore the potential dangers of QR code abuse and provide practical tips to help you scan QR codes safely.
Understanding the risk
QR code abuse (a.k.a. Quishing) can take various forms, including phishing attacks, malware distribution, financial fraud, social engineering, data harvesting, and physical attacks (using a QR code to lure a victim to a specific location for example). Malicious QR codes may lead users to fake websites, initiate unauthorized transactions, steal personal information, or infect devices with malware. The consequences of falling victim to QR code abuse can range from financial loss to compromised privacy and security.
Creating your own bad QR codes
There are lots of ways to create a QR code (with good or bad intentions), but in this example I’ll be using CyberChef, a tool publicly available and created by the British intelligence service GCHQ. CyberChef is a powerful web application that provides a wide range of data manipulation and analysis tools, including the ability to create QR codes.
After opening CyberChef, use the search function on the left to find the operation “Generate QR Code”, and drag it into the middle frame (this is where you create your recipe). In the “Input” field in the top right of your screen, you can input the URL that the QR will redirect to. Once you’ve done that, you will see that the QR code shows up at the bottom right (in some cases you need to click on the “Bake!” button). Exporting this image gives you something like this, where the QR is generated as a PNG (this is the default value), and it will redirect you to this domain:
How a bad actor would use this
Because a QR code is unreadable without using a phone to translate it, a bad actor can lure someone into scanning the QR code to go to a malicious domain, or redirect the user to a phishing domain to harvest credentials for example.
Looking at these two QR codes, can you spot the “malicious” one?
Hopefully you scanned them with your phone, but didn’t click on the link. The right one is the QR code that sends you to a website that allows the bad actor to collect information on you like your IP address, country, user agent (that shows the type of browser you use for example), and perhaps even more.
Another option the bad actor could leverage is to use typosquatting to convince you that the website you’re redirected to is valid.
What about free drinks?
QR codes seem to appear everywhere since 2022, where we needed technology to help us stay safe and contactless solutions were popping up all over the place. I’m pretty sure you’ve seen this on a table recently, even two years later:
But how do you really know this QR code is a legitimate QR code from the bar or restaurant you’re visiting? And even though it might be from the actual bar or restaurant, how can you be sure that the QR code belongs to your table, and you’re not accidentally buying drinks for other tables because somebody mixed up the QR codes? Or even worse, what if somebody just order a couple of stickers with malicious QR codes, and stuck that on all the menu’s, ever considered that?
This might not seem to be a big risk, because it’s probably only a couple of drinks before you find out. But imagine you’re at a bar, and the QR menu you scanned requests you to fill in your email address to send you a digital check at the end of the day? Would you fill that in without hesitation?
Can a QR code install malicious software on your device?
In short: No.
While QR codes themselves do not contain executable code, they can link to URLs or other data that can initiate the download and installation of malware onto a device. A QR code can lead you to a malicious website (as mentioned above) that hosts malicious software for your to download, or initiates a “drive-by download“. The website you’re redirected to can exploit a vulnerability on your phone to install malicious software, or it could lead to social engineering by a bad actor.
So even though the QR code itself can’t manipulate your device, the website you’re redirected to might be able to do that.
Animated QR’s
Yes, you can animate QR’s as well, to fit a company design, or just for fun.
This might be the strangest QR I’ve ever seen so far, but Brian Whelton shows us that it actually works…
How to protect yourself against this
So now the inevitable question; how can I protect myself against malicious QR codes? Even though there’s no silver bullet answer, these are 5 “rules of thumb” to follow:
1. Use Trusted Sources: Only scan QR codes from sources you trust, such as reputable businesses, official advertisements, or known individuals. Avoid scanning QR codes from unknown or suspicious sources, especially if received through unsolicited emails, messages, or advertisements.
2. Inspect the QR Code: Before scanning a QR code, visually inspect it for any signs of tampering or alterations. Look for pixelation, unusual patterns, or discrepancies that may indicate the QR code is fake or malicious. If in doubt, err on the side of caution and refrain from scanning.
3. Verify the Destination: Whenever possible, verify the destination URL or action associated with the QR code before scanning. Manually type the URL into your browser to confirm its legitimacy, especially if the QR code claims to link to a website or initiate a transaction.
4. Use QR Code Scanner Apps with Security Features: Consider using a QR code scanner app that offers security features such as URL scanning and malware detection. These apps can help identify potentially malicious QR codes and provide warnings before visiting dangerous websites or downloading harmful content.
5. Exercise Caution with Personal Information: Avoid scanning QR codes that request sensitive information such as login credentials, credit card numbers, or personal details unless you trust the source implicitly. Legitimate organizations typically don’t ask for sensitive information via QR codes.
You can also use an app like CyberChef to reverse engineer the QR code, and look at the URL the QR code want’s to redirect you to. Another option is to use ScanQR to see where the QR code is going to take you. If you end up with a shortened URL, use a tools like CheckShortURL to see the destination page.
Conclusion
One tip that always works is “stay vigilant” and use common sense. But those are really hard to define, and may differ based on how much understanding you have of technology or cybersecurity. Luckily technology is improving every single day, and companies like Microsoft, Google and Apple see the need to protect their users from attacks like this.
But if QR code scams wouldn’t be a success, it would disappear. So today, attacks like this still work, and you can also start seeing them in phishing emails as well. By using QR codes, the “malicious payload” is “obfuscated” for spam filters and it’s harder to block them. A benefit for attackers is that most users will use their mobile phone to scan the QR code, and thus the attackers bypass all the security systems a company might have in place…
Disclaimer
This post is for informational purposes only, and we are not liable for any loss or damage resulting from its use.
Also: don’t be a skiddie, or an a-hole, and stay vigilant!
No responses yet