QR codes are present in more and more places. In public transportation, on advertising pillars, posters, and at bus stops. They assist in quite a number of daily tasks (say ticket validation) and allow you to skip the tedious transcription of email addresses or URLs. But have you wondered what’s behind these codes? Are they really secure? To what can scanning a code with unknown content lead? Read the following article and learn about the examples of how QR codes can be used for malicious purposes.
In 2021, the Surveillance Technology Oversight Project conducted an experiment in which advertising flyers about a cultural event were distributed. They all had QR codes. The organization recorded a big number of hits to the website in a very short period of time, showing how many people scanned the codes without much thought. They were just expecting details about the event. Fortunately, in this case, the code redirected users to a page designed to inform them about the dangers of QR codes.
Not everyone’s intentions are so pure. In 2020, there was a significant increase in the effectiveness of using QR codes to phish for confidential information. The method takes advantage of the fact that at first glance you can’t see what’s underneath the QR code, and many apps automatically redirect to the links in them, without any further intervention or confirmation from the user. Most often the codes encrypt links to malicious sites or infected mobile apps.
One of the most recent ‘quishing’ campaigns in Poland was one during which cybercriminals impersonated the Santander bank. Codes were displayed on a fake bank website, redirected to a fake login site, where unaware users provided their login credentials, thereby making them available to criminals, who in turn could easily steal the account access and savings.
This January, flyers were distibuted on the streets of Wroclaw with information about help for the victims of the war in Ukraine. The Office for Foreigners was the alleged author of these. The flyers had a QR code that redirected to the cloud storage provider’s website, which stored a DOC file that also did not look suspicious at first glance. However, you never know what might be hiding deeper. Of course, the Office for Foreigners denied that the flyers were distributed by them. A similar situation took place in Melbourne, Australia, but instead of creating new flyers, new, fake QR codes were put on signs informing people about reporting problems at metro stations.
Another interesting case was the use of QR codes at parking lots in Austin, Texas, where the codes were a way to pay for parking. However, instead of redirecting to the website or app of the organization to which the parking lot belonged, the code took you to a page that contained a form that phished for credit card details. In December 2021 alone about a hundred codes like this were located in San Antonio.
As you can see, QR codes are an effective attack vector for many unsuspecting users. Is there any way to protect ourselves from this? You definitely need to use your common sense and not scan all and any code you encounter. It’s also a good idea to use an app that doesn’t redirect to the content of the code immediately after scanning, but first notifies what it redirects to (link to a website, business card, downloadable app). This way you can often verify whether the source is safe. You should also bear in mind that if you are asked to enter credentials after scanning the code, there is a very high probability that it is a phishing attempt. When it comes to organisations, to preserve security, members can disable the QR code scanning function on business phones.
Update! (7 March 2023)
On 06.03.2023, the editors of the website zaufanatrzeciastrona.pl carried out an ‘entrapment’ to see how criminals use QR codes to steal data. It all took place on the well-known instant messenger Discord, where criminals offered rewards in exchange for the creation of ‘interviewer account’ to which a survey-filling machine was allegedly connected. The instructions sent by the channel’s administrator included a QR code that had to be scanned with Google Messages. What exactly was behind the code? Link to pair the app with a browser, so they could get access to all messages, and the ability to send them. This method has been mainly used to send premium text messages at the victim’s expense, but fraudsters could just as easily have access to, e.g., one-time bank login codes, passwords sent via text, or use the victim’s phone number to send spam or phishing.
Sources :
Przejmowanie telefonów kodem QR i rozbierane zdjęcia w zaszyfrowanym archiwum
Wrocław. Ktoś rozkleja plakaty z takim kodem QR… „zbiór informacji o obywatelach Ukrainy”. Link prowadzi do Proton Drive…
Miasto porozklejało QR-kody, dzięki którym można zgłaszać ściany pomaziane grafiti. Ktoś „zhackował” te kody…naklejając swoje wersje. Australia.
Nowe warianty ataków phishingowych w Polsce. Tym razem w akcji kody QR – można stracić zawartość konta
Ostrzeżenie dla klientów Santander Bank Polska. Próba oszustwa na kody QR