Phony QR Code Helps to Shine Light on the Growing Attack Vector of QR Codes
In a follow up to last week’s post regarding the growing cyber threat brought upon by the growing usage of QR codes, codes used by a COVID-19 contract-tracing program were hijacked by a man who posted scam QR codes on top of the legitimate ones. These codes would direct users to an anti-vaccination website. The man has since been arrested and faces possible criminal charges thanks to his actions.
As reported last week, despite the apparent ease in which they can be abused, QR code use is on the rise. Earlier this month, Ivanti released a report that found 57 percent of survey respondents across China, France, Germany, Japan, the U.K. and the U.S. had increased their QR code usage since March 2020. QR codes have become a quick, contactless way to read menus, check into appointments and more since the start of the COVID-19 pandemic. And where there’s valuable data left unprotected, cybercriminals are guaranteed to show up right on time.
“Hackers have been known to create adhesive labels with malicious QR codes and paste them over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information,” Bill Harrod, vice president of public sector at Ivanti, said.
Ivanti noted in its report this type of “adhesive” malicious QR code attack had already been observed being used to steal payment information in places like restaurants and parking garages. Malicious QR codes are also used to steal credentials in phishing and malware attacks.
The situation is so bad that the Army’s Major Cybercrime Unit issued a warning in March and also cautioned “users to be wary of suspicious quick response codes.”
The Army recommended users avoid scanning random QR codes, be extremely cautious about entering any credentials after scanning and suggests if a QR code appears to be applied on top of another, ask about its legitimacy.
“The problem is that, by design, QR codes are not human-readable, and therefore nearly impossible to detect if the link to which the quick-read code directs the user is safe or malicious,” Harrod explained by email. “For years, we have encouraged users to be aware of links before they click on them and to look for tell-tale signs in the URL that it may not be trustworthy. However, with QR codes, there is no way for users to know before they get redirected.”