Are QR Codes safe to use, or can your mobile phone be hacked using QR codes? Let’s be clear – QR codes by themselves can only be tampered, altered or generated, they can NOT be hacked. They can be used by thieves as a novel attack vector to enable a malicious hacking attempt. For this reason, security researchers at LMNTRIX feel it’s best to avoid making payments with QR codes.
QR Code – Quick Response Code
QR Codes – Quick Response Codes have gained a lot of popularity in the world, they were originally designed for the automotive industry by Toyota’s subsidiary – Densowave to track vehicle parts in the 1990s. As an internet user in 2021/22, you have undoubtedly encountered these funky looking bar codes by scanning them using your smart phone’s camera. These codes are designed to quickly take a user to a website where they can receive product information, videos and to aid in receiving payments, reframed as touchless payments post-COVID. QR Codes are free and fast, anyone can create their own code easily by providing the URL they want to link to. This URL can be a fake login page used as part of a phishing campaign where the victim is tricked in to entering their login credentials. Many cyber criminals are recognizing a new opportunity for exploitation, and riding a new trend with QR codes.
Another cause for concern is malicious software can be embedded on the website, and deployed using QR codes. This URL convinces the victim to download a file which will install the malware. In advanced instances of a similar scheme, the victim doesn’t even initiate the download; they can be forced to download the malware using QR codes. Shellcode and delivery mechanism to deploy the malware may vary according to each mobile phone’s make, model & operating system.
We have outlined a few scenarios, that cyber criminals often employ with QR codes,
- Phishing Attacks: Since QR codes are more likely to breach standard email protection, they can also be used in email as part of a larger social engineering attack. When users scan their codes, they are taken through a process in which they must eventually enter their credentials or other information.
- Cyber criminals have used a simple QR code trick in which they replace original codes placed by a company at a specific touch point with fake/counterfeit codes. When users scan the fake QR code, they are redirected to a phishing site or see an i-frame pop-up that allows malware to be installed.
- Scanning a malicious QR code could be the same as clicking on a malicious link in a classic social engineering attack. Social engineering tactics such as pairing QR codes with custom text such as “Scan to win an iPhone 14 Pro Max” are used by cyber criminals to trick people into scanning in order to gain access to their devices. They can also take advantage of your curiosity by placing a dangerous code in highly frequented areas in the organisation with little or no accompanying text.
- Clickjacking attacks: Clickjacking is another method used by cyber criminals to redirect users who scan a QR code to a credible looking website with actionable content, such as buttons that encourage visitors to click through. In most cases, they result in the installation of malware on your device or other forms of private information being stolen.
- Financial theft: Cyber criminals can use QR codes as a payment method, placing a QR code as a form of payment, but having your money sent to their bank account. Cyber criminals follow up by then swindling a higher amount as part of an incremental theft scheme.
According to a survey by LMNTRIX, more than 89% of end users were not able to differentiate one QR code from the other. Error correction built-in to QR codes allows even malicious QR codes to resemble the original, and a fake QR code can end up redirecting the helpless user to a phishing page, a page with malicious code, or a drive by download.
QR codes have become more popular in today’s customer-centric world. QR codes are no longer limited to their original purpose of tracking inventory in factories. They’re now used for everything from marketing, real estate, digital business cards to smart packaging while COVID simply amplified their use ubiquitously in more restaurants than one could have ever imagined. We need to understand the risks and limitations of this mechanism. After scanning a QR Code, just like with phishing emails “check the URL you are redirected to for typos, or misplaced letters”, before blindly clicking OK. For physical QR codes, the real challenge is to spot tampered QR codes with the naked eye.
You don’t have to take our word for it, if all this sounds like a theoretical joke, check out this talk from Defcon 29 – Old MacDonald Had a Barcode, E-I-E-I CAR, or https://www.kitploit.com/2019/04/qrljacker-v20-qrljacking-exploitation.html – a framework now available in Kali Linux. Such frameworks bring down the barrier to perform social engineering attacks, while reiterating our message – slow down and think twice when using QR codes. Go with your intuition, always consider the source and slow down when scanning a QR code; if you think a QR code is suspicious don’t use it. Installing a mobile antivirus, cleaning tool and a security tool to filter links by reputation, and lastly setting up alerts with your bank to flag unauthorised payments, and/or suspicious activity may help in reducing instances of QR code exploitation.