QR Code-Based Attacks on the Rise as Usage Spikes
Ivanti, an industry leading IT software company, carried out a survey of 4,157 consumers across China, France, Germany, Japan, the U.K. and the U.S. It found that 57 percent of respondents have increased their QR code usage since mid-March 2020, mainly because of the need for touchless transactions in the wake of COVID-19. In all, three-quarters of respondents (77 percent) said they have scanned a QR code before, with 43 percent having scanned a QR code in the past week.
As widespread utilization of QR codes (square, scannable codes that can be used by simply pointing your camera phone at them) continues to spread, an increased interest from cyberattackers, who see a growing opportunity, is likely to increase as well.
“In our latest survey, 31 percent of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website,” Chris Goettl, senior director of product management and security at Ivanti, told Threatpost. “This is a slight increase from six months ago, when 25 percent of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website.”
In terms of how real-world attacks are carried out, Goettl noted that hackers have been known to create adhesive labels with malicious QR codes and paste them over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information.
Additionally, hackers commonly leverage QR codes for phishing and malware attacks, he noted Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials, credit-card data, corporate logins and more; or to sites that automatically download malicious software onto mobile devices. Both attack types are usually aimed at compromising mobile accounts, corporate apps and data that may be on the device.
And indeed, the Army Criminal Investigation Command’s Major Cybercrime Unit recently issued an alert, warning the public about highly motivated cybercriminals who may use QR codes to carry out a range of mobile attacks. The alert noted that malicious QR codes can:
- Add nefarious contacts to the contact list
- Connect the device to a malicious network
- Send text messages to one or all contacts in a user’s address book
- Complete a telephone call to a premium telephone number that imposes excess charges on the calling phone’s account
- And send a payments to a destination where they cannot be recovered
The risks are exacerbated by the fact that 49 percent of respondents in the Ivanti study have no mobile security software in place; and, by a general lack of awareness. For instance, only 37 percent were aware that a QR code can download an application, while just one-fifth were aware that a QR code can give away physical location.
Further, only 39 percent said they could identify a malicious QR code.
To prevent from succumbing to an attack, basic, good security hygiene is a good place to start. For instance, users should be wary of QR codes in public places that look like they’ve been hastily pasted or taped up, potentially replacing a legitimate QR code.
The Army’s alert recommended the following best practices:
- Do not scan a randomly found QR code
- Be suspicious if, after scanning a QR code, a password or login information is requested
- Do not scan QR codes received in emails unless you know they are legitimate
- Do not scan a QR code if it is printed on a label and applied atop another QR code. Ask a staff member to verify its legitimacy first. The business might simply have updated what was their original QR code.
Further Reading:
Army Criminal Investigation Command’s Major Cybercrime Unit