Almost two decades after they were developed, the prevalence and usage of quick response (QR) codes have expanded far beyond their original scope. While many uses are legitimate, threat actors also leverage the technology for malicious purposes.
Invented in 1994, QR codes originally provided quick tracking information for car parts. This technology was adopted by other businesses and upgraded to facilitate access to websites and other information. In 2022, they are used for tasks such as facilitating payments, downloading applications, distributing documents, and confirming event tickets. They even support security mechanisms, including the deployment of multi-factor authentication. The COVID-19 pandemic prompted widespread use of QR codes to report test results and confirm vaccination status. The technology’s popularity was confirmed by the unprecedented scanning of Coinbase’s advertisement during the 2022 Super Bowl.
This evolution has persuaded users that QR code mechanisms can be trusted. However, threat actors are exploiting this trust to collect sensitive information or deploy malware.
How are QR codes exploited?
QR codes leverage mobile device cameras or scanners to read a matrix barcode. The device then translates the barcode into an action, such as a redirection to a social media site. While QR codes cannot be directly compromised, it is possible to substitute a QR code with another, abuse them to distribute malicious software, or redirect victims to a malicious website.
Attacks that exploit QR codes are known as ‘Qshing’ (QR code phishing). In January 2022, the U.S. Federal Bureau of Investigation (FBI) warned QR code users about tampering and cited increased reports of stolen credentials and monetary loss. In March 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a Qshing campaign that leverages a fake password reset page to steal credentials.
Do not fall victim to Qshing
While there is no conclusive way to verify the legitimacy of a QR code other than opening it or using a QR code scanner app, Secureworks® incident responders recommend that you consider the following steps when engaging with a QR code:
- Utilize a security app on your mobile device. Many reputable vendors offer apps that provide antivirus detection and other security protections for mobile devices. Some of these apps include QR scanners. Scanning a QR code via the security app could intercept malicious QR codes or suspicious traits, adding another layer of protection.
- Evaluate the QR code’s credibility. Does the QR code’s context and messaging seem appropriate for the setting? For example, a restaurant offering its menu via QR code is reasonable. However, users should be wary if scanning a QR code leads to prompts for information that doesn’t seem relevant (e.g., a game that requires personally identifiable information (PII), a request for credentials to access a bus schedule). If the QR code seems suspicious, you can try to verify its credibility by contacting the organization or individual who issued it. In addition, it is important to evaluate the potential risks associated with sharing requested information.
- Use the direct route. QR codes are often used to provide direct access to a website or application download. It is safer to visit a website via a confirmed URL in a web browser and to download applications from the official app store. Similarly, Secureworks incident responders strongly recommend directly interacting with your bank or service provider (e.g., vendors such as utility companies, trusted financial apps such as PayPal or Venmo) rather than making payments or financial transactions through a site navigated to by a QR code.
- Protect QR codes that provide access to PII. QR codes that link to sensitive data such as health information are tied specifically to you as an individual. Never share these QR codes with someone you do not trust. Additionally, do not screenshot and publicly share these QR codes with others on social media platforms, as someone could impersonate you or access your private information.
- Verify the QR code destination. The QR code itself may not be malicious, but it could direct you to malicious content. Evaluate the authenticity and security of the content by considering factors such as URL validity, encryption status, and page formatting. If something does not feel right, step away.
- Minimize impact. If you scanned a QR code and navigated to a website or application that appears malicious or untrustworthy, then close the page or application, clear the cookies and site cache from your web browser, and delete the page or application from your browser history. If you provided credentials or financial information, escalate the incident with the appropriate organization and change your password.
Mobile devices are typically harder to exploit without user interaction, but the expanded use of QR codes may lower users’ defenses. Assessing the legitimacy of a QR code could avoid an expensive, stressful, time-consuming, or damaging mistake. Vigilance is key.
Learn more about other social engineering threats impacting organizations and users.
If you need urgent assistance with an incident, contact the Secureworks Incident Response team.