The ubiquity and use of Quick Response (QR) codes have grown well beyond their initial scope over two decades after they were established. While there are numerous acceptable uses for the technology, threat actors also exploit it for malicious purposes.
QR codes were created in 1994 to give rapid tracking details for car parts. Other firms embraced and enhanced this technology to make it easier to access web pages and additional information. In 2022, they are leveraged for activities like enabling payments, distributing documents, downloading applications, and verifying event tickets. They even offer security techniques such as multi-factor authentication implementation.
Because of the COVID-19 pandemic, QR codes are now widely used to convey test results and validate vaccination status. The unparalleled scanning of Coinbase’s ad during the 2022 Super Bowl validates the technology’s popularity. Users have come to believe that QR code technologies may be trusted due to this progression. On the other hand, threat actors are taking advantage of this trust to capture sensitive information or spread malware.
QR codes use the camera or scanner on a mobile device to read a matrix barcode. The device then converts the barcode into an action, such as a social networking site redirection. While QR codes cannot be directly hacked, they may be exploited to replace a QR code with another, spread malicious software, or divert users to a malicious website.
Attacks that abuse QR codes are referred to as ‘Qshing’ (QR code phishing). In January 2022, the FBI issued a warning to QR code users regarding tampering, citing an increase in complaints of stolen credentials and monetary loss. In March 2022, a Qshing campaign that uses a bogus password reset page to steal credentials was detected by the Computer Emergency Response Team of Ukraine (CERT-UA).
While there is no definitive method to check the integrity of a QR code other than opening or scanning it with the help of a QR code scanner application, it is recommended that you follow the steps below when interacting with one:
- Use a security app on your smartphone or other mobile devices that scan QR codes. Scanning a QR code with the security app provides an extra layer of security as it might catch rogue QR codes or suspicious characteristics.
- Examine the message and context of the QR code to determine whether they are authentic. If scanning a QR code asks for information that doesn’t appear to be relevant, be cautious. If the QR code seems suspicious, you may check its authenticity by contacting the organization or person who issued it.
- QR codes are frequently used to enable instant access to a website or download an application. It is safer to access a website using a verified URL in a web browser and download apps from the official app store.
- QR codes linking to sensitive data, such as medical records, are tied to you as an individual. Never give out these QR codes to anyone you don’t know. Moreover, do not take screenshots of these QR codes and publicly broadcast them on social networking sites. This might allow someone to impersonate you or gain access to your personal information.
- A QR code itself might not be malicious, but it may direct to malware or other harmful content. Consider URL validity, encryption status, and page design when assessing the content’s legitimacy and security.
- After scanning a QR code, if you are navigated to an application or website that looks untrustworthy or malicious, close the application or page, clear the browser’s cache and cookies, and delete the application or page from your history. If you have provided credentials or financial information, report the occurrence to the proper authorities and reset your password.
Mobile devices usually are more difficult to attack without user interaction. However, the increased use of QR codes may weaken users’ defenses. By determining the validity of a QR code, you can prevent making a costly, frustrating, time-consuming, or destructive mistake.