Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police in South Australia. The perpetrator, who has been arrested, now faces two counts of “obstructing operations carried out relative to COVID-19 under the Emergency Management Act”. However, some reports of similar activity suggest that this arrest may just be a drop in the bucket. While no personal data was breached in this particular incident, it highlights the ease of QR code scams: all an attacker needs is a printer and a pack of labels to do real damage. In this case, the QR codes were being used by the South Australian government’s official CovidSafe app to access a device’s camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak.
Despite the apparent ease with which they can be abused, QR code use is on the rise. Earlier this month, Ivanti released a report that found 57 percent of survey respondents across China, France, Germany, Japan, the U.K. and the U.S. had increased their QR code usage since March 2020.
<p>The rise of QR codes in the pandemic has unfortunately provided an opportunity for abuse by cybercriminals, who can easily intercept this widely used technology. Being able to point your phone’s camera at a code without any contact and be redirected to a website is an extremely effective tool – especially when prioritising infection control – but whenever something so convenient becomes more popular, malicious actors are never far behind looking at ways to exploit it. It’s long been recommended that people look at a web address in email links before clicking on it, but QR codes have removed that level of protection – as malicious usage is harder to spot – and give bad actors the upper hand. </p> <p> </p> <p>It is important to remember how easily QR codes can be tampered with, so it’s always worth checking to see if they have been obstructed with a sticker. Shortened links equally offer limited protection. You can often find the genuine site by searching for it elsewhere or typing it in. However, if a perilous code ever takes you to a website that may not be as expected, the best advice is to kill the session immediately and refrain from entering any further information.</p>