Anna Chung is the Principal cybersecurity researcher at Palo Alto Networks. Join her at TNW 2021 for a fascinating talk on ‘Cybercriminal minds.’
QR codes are being used as a key tool for reducing touchpoints and contact tracing throughout the pandemic, enabling convenient and contactless data sharing. They are not inherently unsafe, but they could be open to exploitation by cyber attackers.
Quick response (QR) codes can be thought of in a similar way to URL shortening services – they provide instant access to information such as websites and contact information. They can also allow users to login into a Wi-Fi network without a password. We’re seeing them used increasingly across all areas of life but are we thinking before we scan?
QR code technology is safe in itself, but as reliance on it grows, cybercriminals are taking note. These codes could offer an entryway to potential cyber-attacks because they don’t provide visibility into the webpage, application etc. behind them. Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cybercriminals with opportunities to insert themselves into the process. During the pandemic, Unit 42, the threat intelligence team at Palo Alto Networks, has observed cybercriminals in underground online forums discussing ways to abuse QR codes and target the everyday consumer. We also found open-source tools and video tutorials offering training on how to conduct attacks by using QR codes.
Back in 2018, Juniper Research predicted a fourfold increase in the use of QR codes by 2022, now that QR scanning functionality is built into many mobile devices’ cameras, but it’s likely the pandemic has caused another spike in use for this technology so we need to be cautious about what we’re scanning.
How cybercriminals could exploit QR codes
There are several ways cybercriminals could leverage QR codes for their own malicious objectives. One method would be to hack into a business’s website and replace the QR code with their own. With QR codes looking so similar, a swapped code would be incredibly hard to spot. Scanning this code could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or social media accounts for example. It could also lead users to a less legitimate app store where they might unknowingly download a malicious app containing a virus, spyware, trojan, or other type of malware which could lead to data theft, privacy breach (GPS or contact list stolen, calls / messages being intercepted), ransomware extortion, or sometimes cryptomining.
Another cybercriminal technique is a honeypot. Threat actors could set up an unsafe Wi-Fi network promising free internet to anyone that scans their QR code. Once a device is connected, hackers can eavesdrop or intercept the data being shared, and steal personable identifiable information, confidential business information, online banking credentials, and credit card information. With remote working likely to continue, it is important we are all aware of such methods and only log into secure Wi-Fi networks.
QR codes: think before you scan
How can we protect ourselves? To the naked eye, there is no way to tell if a QR code is being abused by cybercriminals, but there are many precautions one can take to avoid falling victim.
Business owners and IT administrators need to carry out regular integrity checks on their sites and apps to ensure the code and link they are providing is what they intend. They can do this by regularly scanning the code to check if the link within the QR code is correct. They need to check both the web and mobile browser version, as cybercriminals have been known to only compromise the latter to reduce the chance of detection.
Employers should also provide personnel with cybersecurity training to make them aware of the risks to the organisation as well as themselves. These include using strong and unique passwords for both personal and work accounts, setting up multi-factor authentication, and identifying phishing emails as well as unsafe virtual environments. As many employees continue working from non-corporate environments, cyber awareness training will equip remote workforce with knowledge and awareness to make sensible decisions, preventing attackers from gaining access to any personal and corporate networks, devices, and data.
We’ve all been taught to ‘think before we click’ on a suspicious link or email, but now it’s time to revisit this for QR codes – so think before you scan. Don’t scan a QR code if you don’t know where it will lead, and preview the website and domain name to ensure it’s where you expected to be directed to. There are many secure QR code scanning apps which allow users to preview websites before they visit them. Many browsers also allow users to disable automatic redirects to websites to allow individuals to check the URL domain to decide if it is trustworthy providing extra insight before taking action.
Make sure you only download apps from trusted sources such as Apple’s App Store or Google Play Store too. And continuously update all smart devices to benefit from the latest security protections.
In summary, my key takeaways are:
- Think before you scan
- Check after you scan
- Be aware and alert
As with every technology that increases in use, it’s likely we’ll see a rise in cybercriminals’ attempts to abuse QR codes over the coming months, so it is vital to be aware of the risks to be able to take the right precautions. QR codes will continue to play an important role as we start to recover from the COVID-19 pandemic, but we can’t be complacent. Think carefully before, during and after you scan QR codes to maximise the chance of protecting your devices and data.