The use of QR codes had an explosion with the pandemic, largely due to their contribution by reducing the need for contact with surfaces that may have been manipulated by third parties and thus minimizing the risks of contagion. They are currently being used in various sectors and in different ways, for example, to display the food menu of a restaurant, means of payment, request for services, share a contact, etc. However, as is often the case with any technology that becomes popular, it has also caught the attention of cybercriminals who are using it for malicious purposes. ESET, a leading company in proactive threat detection, warns how QR codes can be exploited by scammers to trick their victims.
QR is an acronym for Quick Response, in Spanish “quick response”, they are codes that are designed to be read and interpreted quickly. In them, a maximum of 4296 alphanumeric characters can be stored in a matrix in the largest versions, although those for general public use tend to be smaller matrices to be easily captured from the phone’s camera.
QR codes have a structure that allows them to be decoded by applications that work as readers using, for example, the phone’s camera. The action or result obtained after reading a QR code can vary and will depend on the application that is interacting with said code. From a QR code you can: open a web page, download a file, add a contact, connect to a Wi-Fi network and even make payments, among many others. QR codes are very versatile, they can be customized, include logos and there are even dynamic versions that allow you to change the content or action of the QR at any time.
“Given the versatility of QR codes and the large number of actions that can be carried out, the range of possibilities for a cybercriminal is extremely wide. If we add to this the number of QR codes that we find in bars, restaurants, shops, hotels, airports and even payment platforms and health certificates, the attack surface expands even more”, mentions Cecilia Pastorino, Security Researcher Informatics of ESET Latin America.
ESET provides some examples of malicious actions that could be carried out by cybercriminals:
1. Redirect the user to a malicious website to steal information: Just as attackers use malvertising or BlackHat SEO techniques to direct their victims to fraudulent sites,
they could do the same with QR codes. Especially if these are found in advertisements on public roads or in the customer service areas of financial institutions. Recently in the United States, criminals placed stickers with fake QR codes on public parking meters located in different cities that took potential victims to a fake site to supposedly make the payment with the aim of stealing financial data.
2. Downloading a malicious file on the victim’s computer: Many bars and restaurants use QR codes for the user to download a PDF file with the menu or install an application to place the order. In this and similar contexts, an attacker could easily tamper with the QR code to lead the user to download a malicious PDF or to install a rogue application.
3. Perform actions on the victim’s device: QR codes can generate actions directly on the reader device, these actions will depend on the application that is reading them, so pay attention to fake QR reader apps. However, there are some basic actions that any QR reader is capable of interpreting. For example, connect the device to a Wi-Fi network, send an email or SMS with a predefined text, or save a contact on the device. While these actions themselves are not malicious, they could be used by an attacker to connect a computer to a compromised network, send messages on behalf of the victim, or schedule a contact for later deception.
4. Divert a payment or make money requests: Most of the current digital financial applications allow payments to be made through QR codes that contain the data of the recipient of the money. Many stores leave these codes in front of their customers to facilitate the operation. An attacker could modify this QR with their own data and thus receive the charges in their account. It could also generate codes with requests to collect money to trick buyers, as happened to some users who reported that they were scammed by sending a fake QR code to make a payment.
5. Steal user identity or access to an application: Many QR codes are used as a certificate to verify information about a person, such as identity documents or health passes. In these cases, the QR codes contain information as sensitive as that found in an identity document or medical record, which an attacker could easily obtain by scanning the QR code.
On the other hand, many applications (such as WhatsApp, Telegram or Discord) use QR codes to authenticate a user’s session and allow them to access their account. As has already happened with WhatsApp, attacks such as QRLjacking can trick a user by impersonating a service and causing them to scan the QR provided by the attacker.
“In most of the identified cases, the attacker will need to create a malicious QR code which they will then replace with the original code for the victim to scan. In other words, many of these risks are based on social engineering and tricking the victim.”, adds Pastorino from ESET.
The tips for using QR codes safely that ESET shares are:
- In the case of payments with QR and financial operations, always verify that the transaction has been carried out successfully. Confirm the operation both on the buyer’s device and on the seller’s device and make sure you have received the money correctly.
- If you have QR codes available to the public, regularly check that they have not been adulterated.
- When generating a QR code, use a trusted service to do it. Also, verify that the QR obtained by the service is correct and that it performs the desired action.
- Disable the option to perform automatic actions when reading a QR code, such as accessing a website, downloading a file, or connecting to a Wi-Fi network.
- Always verify the action before performing it. Check that the URL is correct, that the downloaded file, the data obtained or the action taken is as expected.
- Do not share QR codes with sensitive information, such as those used to access applications or those included in documents and health certificates. Avoid taking photos of them, do not share them and store them safely.
- Of course, always keep your devices protected, have security tools and update apps. In this way, it will be much more difficult for a cybercriminal to compromise the information.
