Cybercriminals are constantly developing new tactics to trick individuals into divulging sensitive information or installing malware. One of the latest tactics to be observed is the use of QR codes to direct people to malicious websites where sensitive information is harvested or to sites hosting malware.
A QR code is a machine-readable matrix barcode that is often used for tracking products in a supply chain, but in recent years has been adopted as a convenient way to direct people to web resources without them having to enter a URL or click a link. QR codes have been widely adopted during the COVID-19 pandemic for carrying out contactless operations, such as registering attendance at a venue and for viewing menus in restaurants to help prevent the spread of COVID-19.
Many smartphones have in-built QR code readers and apps can be downloaded for free to allow QR codes to be read. When a smartphone camera picks up a QR code, the user will be directed to whatever web resource has been programmed into the code. While QR codes have many important uses, QR codes can be easily tampered with to direct individuals to malicious websites.
Phishing emails often contain links to malicious websites that have been masked by changing the text in the hyperlink. Hovering a mouse arrow over the hyperlink on a computer will display the URL to which the user will be directed; however, with a QR code the user may be instantly directed to the website and could be prompted to enter their banking credentials, Microsoft 365 credentials, or other sensitive information.
Since QR codes are often used to direct individuals to hosted files, such as PDF restaurant menus, it would be easy to trick people into downloading malicious files through QR codes. The malware could provide a cybercriminal with access to the victim’s mobile device, allowing them to steal sensitive information such as passwords or bank account information.
Many businesses use QR codes to direct customers to websites where payments can be processed, and the use of QR codes for this purpose has increased significantly during the pandemic to avoid contact with Point-of-Sale card readers. QR codes could be abused to direct customers to malicious websites that mimic those used by the business in order to steal payment card information.
The Federal Bureau of Investigation (FBI) has recently issued a warning about the increase in the use of QR codes for conducting malicious activities. The FBI emphasized that QR codes are not malicious in nature but can be abused, so precautions should be taken when using QR codes and not to assume that QR codes are secure.
A study conducted by Ivanti in 2021 revealed 87% of people felt secure conducting financial transactions using QR codes. Given the rise in abuse of QR codes, that confidence is worrying. As with embedded hyperlinks in emails, it is important to exercise caution and to check the URL of the resource that the user is directed to before taking any actions. The domain should be checked to ensure it is correct, and care should be taken to look for any typos or misplaced or substituted letters.
The FBI recommends checking a QR code before scanning to make sure it has not been doctored with, such as by overlaying a sticker on the original QR code. If prompted to download a file after using a QR code, be aware that the file may be malicious. If prompted to download an app, it is more secure to visit an official app store. It is also not necessary to download a QR scanner on most mobile phones, as this increases risk. The apps may be malicious, and many automatically direct users to a resource without requiring confirmation or providing information about the URL that the user will be directed to.
Businesses can protect their corporate-owned devices against QR code scams by installing a web filter. A web filter such as WebTitan can be used to prevent mobile devices from being used to visit malicious websites or web pages that violate acceptable internet usage policies. WebTitan will protect against any redirect to a malicious website, whether via a link in a phishing email or QR code and will also block malware downloads and potentially malicious files.