FBI Warns of Rising QR Codes Attacks
Since the outbreak of the COVID-19 pandemic, there has been an increase in the popularity of Quick-Response (QR code) technology after people turned to contactless transactions. We have seen QR codes being widely used in multiple industries, from track-and-trace to ordering from menus at restaurants and paying for parking. However, the more mainstream the technology has become, the more attractive it is for cybercriminals who are now exploiting our increased familiarity with this technology.
While the QR codes themselves are not inherently malicious, the ease with which criminals can create their own fake codes to dupe consumers is a concern. In fact, the FBI recently issued a warning that cybercriminals have been targeting physical and digital QR codes by tampering with the pixelated barcodes and redirecting victims to malicious sites that steal victim data and embed malware to gain access to the victim’s device, and redirect payment for their criminal use.
Austin Transportation parking enforcement officers recently discovered malicious QR codes on parking meters in Austin, Texas. Instead of being taken to the city’s authorized website or app, motorists who scanned the fake QR codes were led to a fake website that collected their parking fee and credit card information. According to the FBI, law enforcement cannot guarantee the recovery of lost funds after transfer.
Why are QR Code Attacks So Appealing to Cybercriminals?
Several factors make QR codes an appealing attack vector. The indirect nature of the QR code helps to disguise dangerous content – there is nothing to give one set of pixelated squares away as a potential threat. Many people know they need to be on the lookout for phishing links and questionable attachments in emails that purport to be from the bank. But thinking twice about scanning a QR code with your smartphone camera isn’t second nature for most people. This, coupled with the mobile-friendly nature of QR codes and the convenience of the technology, makes users more likely to trust a QR code in situations where they might have been suspicious of a normal link, further boosting the attacker’s chance of success.
The most common ways threat actors use to exploit QR codes are:
- Embed QR codes with malicious URLs
- Replace legitimate QR codes with compromised ones merely by pasting their QR codes on pre-existing ones.
Types of QR Code Attacks
Like phishing attacks, threat actors use different lures and tactics to trick users into scanning the malicious QR code. Common types of QR code attacks include:
- Clickjacking: The easiest QR code scam to pull off is clickjacking. Some people get paid to lure others into clicking on a certain link. What better way than to replace QR codes on a popular monument, for example, where people expect to find background information about the landmark by following the link in the QR code. Instead, the replaced QR code takes them to a sleazy site, and the clickjacking operator gets paid his fee.
- Phishing (quishing): Bad actors commonly leverage QR codes for phishing attacks. Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials, credit-card data, corporate logins, and more. This technique bypasses many anti-phishing systems, which work by scanning the text of emails. Because you can’t see the URL, or it’s not visible in the email, quishing gets past those traditional techniques.
- Malware attacks: Cybercriminals can use QR codes to direct unsuspecting users to sites that automatically download malicious software onto mobile devices. The malware can harm users in several different ways – it might open backdoors for more malware infections or silently steal the target’s information and send it to the cybercriminals. At times, these malware infections might even be ransomware attacks that would hold your information hostage for ransom.
- QRLjacking: Most organizations use Quick Response Code Login (QRL) as an alternative to password-based authentication procedures. A QRL allows users to log in to their accounts by scanning a QR code, which is encrypted with the user’s login credentials. In a QRLjacking attack, cybercriminals trick unwitting users into scanning a specially crafted QRL rather than a legitimate one, enabling the hacker to gain control of the user account. Once the victim scans the malicious QRL, the device gets compromised, allowing the attacker to take over complete control over the device.
How to Protect Yourself Against QR Code Attacks
Individuals can protect themselves from QR code attacks by following these tips:
- Do not download an app from a QR code. Use your phone’s app store for a safer download.
- Once you scan a QR code, check the URL to ensure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
- Avoid scanning a QR code found in emails sent to you, even if they seem to come from organizations or people you know.
- Before scanning a code, especially one on printed material in a public place, ensure it hasn’t been pasted over with a different—and potentially malicious—code.
- Avoid making payments through a site navigated from a QR code. Instead, manually enter a known and trusted URL to complete the payment.
- Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Use the default camera app on your device to scan QR codes. Most operating systems’ default camera apps have built-in QR code readers.
- Avoid scanning randomly discovered QR codes from suspicious or unknown sources.
- Use caution if a QR code scan asks for login credentials.
- Install a mobile security app for virus and malware protection to keep your smartphones safe and secure or use a scam blocker or Web filter on your device to protect you against known scams.
Organizations can reduce the cybersecurity risk posed by malicious QR codes by adhering to good cybersecurity hygiene. One essential approach is to ensure that employee smartphones are secured, which is often overlooked. Another crucial measure is to raise awareness of the risks of QR codes among employees. Invest in cybersecurity awareness training to help empower your employees with the skills necessary to recognize the signs of a quishing or social engineering attack.
Companies must also implement a robust, layered security strategy that includes real-time detection and response to QR code attacks. By adding real-time detection and automated remediation capabilities to identify and eliminate threats rapidly, you can minimize the impact when a malicious quishing attack makes it through your defenses.
At Alvarez Technology group, we can help secure your organization from all types of cyber threats, including QR code, phishing, and malware attacks. Contact us for more information on our cybersecurity services.