Use of QR codes increased significantly when countries around the world implemented vaccination passports during the pandemic. The pandemic further accelerated the use of QR codes as businesses – from restaurants to gyms – began to leverage QR codes for better contactless access to information including menus, service options, hours of operation, coupons and more.
In fact, the popularity of QR codes has grown so high that a study by The Drum and YouGov found that 75% of consumers have said that they plan to use QR codes moving forward. This has been further accelerated by new updates from Android and iOS that expanded the possibilities of native QR code scanning including the easier detection of smaller QR codes and scanning of QR codes wrapped around objects.
All this rapid adoption aroused the interest of cybercriminals, who began abusing this technology to carry out phishing-like attacks and QRLjacking. QR code-based phishing attacks, sometimes called quishing, uses a QR code to lure victims to a phishing page designed to steal credentials, personal data and other sensitive information. This risk was so high that in January 2022, a warning was released by the FBI that cybercriminals may be tampering with QR codes to direct victims to malicious websites.
QRLjacking is another QR code vulnerability where hackers us a QR code to spread malware to the victim’s device. Other QR code risks are evolving including the use of a QR code to automatically place a phone call or send a text message from the device that scanned the code. Hackers have even been known to initiate a payment from the user’s device or force the device into a certain Wi-Fi network for further exposure.
All of these risks are quite high and prevalent since there are currently no cyber protection systems available to spot cyberattacks operating via QR codes. As such, the use of these codes must be done with extreme caution. Consider these following contributing factors:
Everyone is an entry point to the corporate network
As the use of QR codes can be widely found in bars and restaurants, on advertising posters, and on tickets for sports and cultural events, so it might seem that they are confined to end consumers. However, the line between professional and personal spheres has become very blurred. For example, employees do not hesitate to use personal devices for business purposes, and vice versa.
In fact, according to the 2022 Netwrix Cloud Data Security Report, 69% of organizations have already implemented multifactor authentication (MFA), which often involves sending SMS or push notifications to employees’ smartphones. Scanning QR codes is sometimes also required to access company parking lots or to book a meeting room in coworking spaces.
As a result, personal devices have become a key entry point to the corporate IT environment, so it’s no surprise that cybercriminals often try to compromise these devices. What’s more, it is relatively easy to create a web page that looks like a legitimate website and associate it with a QR code, and then trick users into using that QR code. For example, criminals can print their QR code on a sticker and place that sticker over the real QR code on merchandise, or they can send the QR code in an email. Once the user arrives at the malicious website, they might willingly provide their Office 365 login credentials or other valuable data.
Cyber training is vital
Currently, there are no technological solutions to detect this type of cybercrime. Therefore, it is necessary to turn to the human element: User cyber training must include a component dedicated to QR codes.
Specifically, users should be taught that malicious QR codes are a new variation of phishing. Accordingly, these codes must be considered with the same skepticism as a hypertext link in an email. Train users to never scan a QR code from an unknown or suspicious source. Instead, they should go directly to the associated website via a browser search. In addition, if a user does scan a QR code, they should check the URL to make sure the website is both secure and authentic. By adopting good cyber hygiene, employees can help prevent their devices, and ultimately their company’s data, from being compromised.
Shore up device security
Even personal devices should be running security software, particularly if they access corporate resources. Security software capabilities should include the ability to protect against device takeover attacks, phishing attacks and other mobile device exploits.
Even further, QR code security risks are another reason to implement multifactor authentication (MFA) across all organizational apps and data. Ultimately, work to adopt authentication solutions that don’t rely on passwords alone. QR code-based attacks are often designed to trick users into entering their passwords, exposing them to cybercriminal credential stealing. Using other verification technologies, can help minimize this risk.
We are all a target
Because the lines between personal and workplace technology have blurred, IT teams must understand how adversaries abuse QR codes to gain entry into the IT environment and the risk that entails. It is vital to provide effective cybersecurity training that persuades users to stay vigilant, not only during their working hours but throughout the day. Inform them of the dangerous but common misconception that a regular user can’t be the target of cybercriminals. Any of us can become a way into the IT environment, and all of our smartphones and other devices are vulnerable to attacks.
Anthony Moillic, Director of Solutions Engineering EMEA and APAC at Netwrix
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.