QR Codes Offer Easy Cyberattack Avenues as Usage Spikes

Cyber Security News

Usage is way up, but so are cyberattacks: Mobile phishing, malware, banking heists and more can come from just one wrong scan.

The use of mobile quick-response (QR) codes in daily life, for both work and personal use, continues to rise – and yet, most people aren’t aware that these handy mobile shortcuts can open them up to savvy cyberattacks.

That’s according to Ivanti, which carried out a survey of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S. It found that 57 percent of respondents have increased their QR code usage since mid-March 2020, mainly because of the need for touchless transactions in the wake of COVID-19. In all, three-quarters of respondents (77 percent) said they have scanned a QR code before, with 43 percent having scanned a QR code in the past week.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants. To use them, people simply open their camera app on their phones and hover over the image. A QR translator built into most mobile phone operating systems will then “read”
the QR code and open a corresponding website.

The uses for QR codes are rapidly expanding, Ivanti noted.

“Early in the pandemic, restaurants were using QR codes as menus or payment options, but as the pandemic continued throughout 2020, consumers used QR codes more frequently for practical things like visiting a doctor’s office or picking up a prescription,” according to Ivanti’s report, issued on Wednesday. “Meanwhile, social activities like dining out or enjoying a drink at a bar saw QR code usage decrease in that six-month period. Even offices and places of work saw an increase in usage going from 11 percent to 14 percent, emphasizing the shift in how QR codes have been used during the pandemic.”

Meanwhile, a full 83 percent of respondents in Ivanti’s report said they had used a QR code for the very first time in the last 12 months to make a payment or complete a financial transaction. Of those, more than half (54 percent) had used a QR code for a financial reason for the first time in the past three months alone.

Real-World QR Code Cyberattacks

The flip side of all of this increased usage is increased interest from cyberattackers, who see a growing opportunity, according to Ivanti. So, even though 87 percent of respondents in the survey said they feel secure using a QR code to complete a financial transaction, the reality is that they probably shouldn’t.

“In our latest survey, 31 percent of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “This is a slight increase from six months ago, when 25 percent of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website.”

In terms of how real-world attacks are carried out, Goettl noted that hackers have been known to create adhesive labels with malicious QR codes and paste them over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information.

“This has happened in parking garages and outdoor dining establishments,” he said.

Additionally, hackers commonly leverage QR codes for phishing and malware attacks, he noted Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials, credit-card data, corporate logins and more; or to sites that automatically download malicious software onto mobile devices. Both attack types are usually aimed at compromising mobile accounts, corporate apps and data that may be on the device.

“However, the most common form of QRLjacking is when a legitimate QR code designed to facilitate cashless payments is replaced with a malicious QR code that exposes banking or financial account information when scanned,” Goettl told Threatpost. “That malicious QR code could enable hackers to transfer money out of bank accounts.”

And indeed, the Army Criminal Investigation Command’s Major Cybercrime Unit recently issued an alert, warning the public about highly motivated cybercriminals who may use QR codes to carry out a range of mobile attacks. The alert noted that malicious QR codes can: Add nefarious contacts to the contact list; Connect the device to a malicious network; Send text messages to one or all contacts in a user’s address book; Complete a telephone call to a premium telephone number that imposes excess charges on the calling phone’s account; And send a payments to a destination where they cannot be recovered.

The risks are exacerbated by the fact that 49 percent of respondents in the Ivanti study have no mobile security software in place; and, by a general lack of awareness. For instance, only 37 percent were aware that a QR code can download an application, while just one-fifth (22 percent) were aware that a QR code can give away physical location.

Further, only 39 percent said they could identify a malicious QR code.

“As a result of the pandemic, employees are using their mobile devices more than ever before to access corporate data and services from any location,” Goettl said. “As QR codes continue to increase in popularity and use, they will undoubtedly be leveraged more and more by cyberattackers to infiltrate devices and steal corporate data.”

How Can I Prevent QR Code Cyberattacks?

To prevent from succumbing to an attack, basic, good security hygiene is a good place to start. For instance, users should be wary of QR codes in public places that look like they’ve been hastily pasted or taped up, potentially replacing a legitimate QR code.

The Army’s alert recommended the following best practices: Do not scan a randomly found QR code. Be suspicious if, after scanning a QR code, a password or login information is requested. Do not scan QR codes received in emails unless you know they are legitimate. Do not scan a QR code if it is printed on a label and applied atop another QR code. Ask a staff member to verify its legitimacy first. The business might simply have updated what was their original QR code.

“Awareness on this issue is low,” Goettl told Threatpost. “QR codes have become so commonplace that people have become very relaxed to scanning them. The greater reliance on QR codes there is, the greater the likelihood that malicious QR codes will succeed as the avenue for installing malicious code, ransomware, or releasing contact or payment information from the mobile device.”

Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!