The use of mobile quick-response (QR) codes in daily life, for both work & personal use, continues to rise & yet, most people are unaware that these handy mobile shortcuts can open them to clever cyber-attacks.
Usage is vastly up, but so are cyber-attacks: Mobile phishing, malware, banking scams & more can come from just 1 wrong scan.
Touchless Transactions
That is according to Ivanti, which carried out a survey of 4,157 consumers across China, France, Germany, Japan, the UK & the US. It found that 57% of respondents have increased their QR code usage since mid-March 2020, mainly because of the need for touchless transactions in the wake of COVID-19.
In all, three-quarters of respondents (77%) stated they have scanned a QR code before, with 43% having scanned a QR code in the past week.
Scannable Codes
QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants. To use them, people simply open their camera app on their phones and hover over the image. A QR translator built into most mobile phone operating systems will then “read” the QR code & open a corresponding website.
The uses for QR codes are rapidly expanding, Ivanti noted.
“Early in the pandemic, restaurants were using QR codes as menus or payment options, but as the pandemic continued throughout 2020, consumers used QR codes more frequently for practical things like visiting a doctor’s surgery or picking up a prescription,” according to Ivanti’s report, issued on Wed.
Financial Transaction
“Meanwhile, social activities like dining out or enjoying a drink at a bar saw QR code usage decrease in that 6-month period. Even offices & places of work saw an increase in usage going from 11% to 14%, emphasising the shift in how QR codes have been used during the pandemic.”
Meanwhile, a full 83% of respondents in Ivanti’s report said they had used a QR code for the very 1st time in the last 12 months to make a payment or complete a financial transaction. Of those, more than half (54%) had used a QR code for a financial reason for the 1st time in the past 3 months alone.
QR Code Cyber-Attacks
The reverse side of all of this increased usage is increased interest from cyber-attackers, who see a growing opportunity, according to Ivanti. So, even though 87% of respondents in the survey said they feel secure using a QR code to complete a financial transaction, the reality is that they probably should not.
“In our latest survey, 31% of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website,” Chris Goettl, Senior Director of Product Management & security at Ivanti explained.
“This is a slight increase from 6 months ago, when 25% of respondents claimed that they had scanned a QR code that did something they were not expecting or were taken to a suspicious website.”
Adhesive Labels
As to how real-world attacks are carried out, Goettl noted that hackers can create adhesive labels with malicious QR codes & paste them over legitimate QR codes, allowing them to intercept, or sit in the middle of transactions & capture payment information.
“This has happened in parking garages & outdoor dining establishments,” he commented.
Also, hackers often use QR codes for phishing & malware attacks, he noted Malicious QR codes can direct users to legitimate-looking websites designed to steal credentials, credit-card data, corporate logins etc.; or to sites that automatically download malicious software onto mobile devices. Both attack types are usually aimed at compromising mobile accounts, corporate apps & data that may be on the device.
QRL-Jacking
“However, the most common form of QRL-jacking is when a legitimate QR code designed to facilitate cashless payments is replaced with a malicious QR code that exposes banking or financial account information when scanned,” Goettl outlined. “That malicious QR code could enable hackers to transfer money out of bank accounts.”
Also, the US Army Criminal Investigation Command’s Major Cyber-Crime Unit recently issued an alert, warning the public about highly motivated cyber-criminals who may use QR codes to carry out a range of mobile attacks.
Malicious QR Codes
The alert noted that malicious QR codes can:
- Add nefarious contacts to the contact list;
- Connect the device to a malicious network;
- Send text messages to 1 or all contacts in a user’s address book;
- Complete a telephone call to a premium telephone number that imposes excess charges on the calling phone’s account;
- Send a payments to a destination where they cannot be recovered.
Mobile Security Software
The risks are worsened because 49% of respondents in the Ivanti study have no mobile security software in place; &, by a general lack of awareness. E.g., only 37% were aware that a QR code can download an application, while just one-fifth (22%) knew that a QR code can give away a physical location.
Further, only 39% said they could identify a malicious QR code.
“As a result of the pandemic, employees are using their mobile devices more than ever before to access corporate data & services from any location,” Goettl observed. “As QR codes continue to increase in popularity & use, they will undoubtedly be leveraged more & more by cyber-attackers to infiltrate devices & steal corporate data.”
How to Prevent QR Code Cyber-Attacks?
To prevent from succumbing to an attack, basic, good security hygiene is a good place to start.
For instance, users should be wary of QR codes in public places that look like they have been hastily pasted or taped up, potentially replacing a legitimate QR code.
The US Army’s alert recommended the following best practices:
Best Practices
- Do not scan a randomly found QR code.
- Be suspicious if, after scanning a QR code, a password or login information is requested.
- Do not scan QR codes received in emails unless you know they are legitimate.
- Do not scan a QR code if it is printed on a label & applied atop another QR code. Ask a staff member to verify its legitimacy first. The business might simply have updated what was their original QR code.
Awareness
“Awareness on this issue is low,” Goettl warned. “QR codes have become so commonplace that people have become very relaxed to scanning them.
The greater reliance on QR codes there is, the greater the likelihood that malicious QR codes will succeed as the avenue for installing malicious code, ransomware, or releasing contact or payment information from the mobile device.”
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/