QR codes are incredibly popular and pretty convenient to use, so much so that almost 84% of smartphone users have scanned a QR code at least once, and over 34% scan a QR code once a week. Cybercriminals love popular technologies and focus on them to scam, hack, cause malware infection, and so on. This popularity has led to a rise in “QR code phishing”: in January 2022, the FBI issued a warning about QR codes, highlighting their use for data phishing. Here is how hackers use QR codes to hack your corporate network and how you can prevent QR codes from causing security incidents.
QR codes work by embedding instructions into a black and white dot-based image. They work a little like the barcodes you see on food in a store. A smartphone camera, app, or QR code scanning device scans the QR code. The scan then translates the data into human-readable information. QR codes usually contain web links or links to media such as videos or links to download an app. This use of links in a QR code provides a cybercriminal with the opportunity to perform phishing.
There are a few variations on the QR code scam theme doing the rounds:
Quishing is a mashup of QR codes and email phishing. The fraudsters embed a malicious QR code into a legitimate-looking email. A recent example of a quishing attack was a Microsoft Office 365 phishing campaign that used QR codes to steal log-in credentials. Researchers identified spoof Office 365 emails that offered access to missed voicemail messages by scanning a QR code. Scanning the QR code took the user to a fake Office 365 page, which requested credentials to gain access to the message.
QR codes are also being used in various regular scam types, such as tax scams. The UK tax department, HMRC, recently added support for QR codes on their website. However, fraudsters have now used this new feature as a basis for a new QR code tax phishing scam. The spoof HMRC email asks the recipient to scan the code to pay overdue tax. The QR code takes the taxpayer to a spoof site where their financial information is then stolen.
This is an older version of the more recent Quishing scam, but one that has phishing implications. QR codes are very convenient for users, and some companies have extended this convenience to their log-in systems, where users scan a QR code to log-in to an account. In QRL Jacking, an attacker navigates to a legitimate site, initiating a session and generating the QR code to log in. The attackers then capture this QR code (for example, using screen scraping) and places this legitimate QR code on a spoof site.
The attacker then uses spear-phishing to target an individual, tricking them into going to the spoof site.
The target then uses the captured QR code to log-in; this logs into the original session, thus logging the attacker into the legitimate account.
This scam is more challenging to carry out as it is time-sensitive; however, it will be worth the effort if this is a high-value or sensitive account.
QR codes are often used to make it more convenient to download a legitimate app. However, they can be used to encourage people to download malicious apps, including crypto-wallets. For example, the QR crypto-quishing scam involves capturing persistent consent (prior authorization) to use the wallet; this allows the fraudster to drain the wallets of cryptocurrency.
Drive-by-downloads of malware are one of the most insidious forms of malware infection. A person must land on an infected site, and a flaw in any software they use can open the door to malware infection. QR code phishers take advantage of drive-by-download opportunities by sending phishing emails with QR codes that take the recipient to an infected website: one scan of the code and their mobile device may become infected with a trojan.
QR code phishing is designed to evade detection by conventional security products. However, phishing and other scams, including QR code phishing, can be stopped by applying a series of layered and advanced solutions. The following systems act together to stop the QR code phishing cycle:
QR codes are one method in a long line of phishers' favorites. No matter what technology comes along, fraudsters will find a way to exploit it if it is popular. Moreover, a single-point solution cannot capture all possible cyber-attack scenarios. Clever attack chains require a creative response, comprising a mix of security awareness training with advanced AI-enabled spam and content filers.
Train your staff to spot QR code phishing threats with SafeTitan Security Awareness Training. Sign up for a FREE Demo.Book Free Demo
Sign-up for email updates...