Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police in South Australia. The perpetrator, who has been arrested, now faces two counts of “obstructing operations carried out relative to COVID-19 under the Emergency Management Act”. However, some reports of similar activity suggest that this arrest may just be a drop in the bucket. While no personal data was breached in this particular incident, it highlights the ease of QR code scams: all an attacker needs is a printer and a pack of labels to do real damage. In this case, the QR codes were being used by the South Australian government’s official CovidSafe app to access a device’s camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak.

Despite the apparent ease with which they can be abused, QR code use is on the rise. Earlier this month, Ivanti released a report that found 57 percent of survey respondents across China, France, Germany, Japan, the U.K. and the U.S. had increased their QR code usage since March 2020.

Experts Comments

April 30, 2021
Jake Moore
Cybersecurity Specialist
ESET

The rise of QR codes in the pandemic has unfortunately provided an opportunity for abuse by cybercriminals, who can easily intercept this widely used technology. Being able to point your phone’s camera at a code without any contact and be redirected to a website is an extremely effective tool – especially when prioritising infection control – but whenever something so convenient becomes more popular, malicious actors are never far behind looking at ways to exploit it. It’s long been

.....Read More

The rise of QR codes in the pandemic has unfortunately provided an opportunity for abuse by cybercriminals, who can easily intercept this widely used technology. Being able to point your phone’s camera at a code without any contact and be redirected to a website is an extremely effective tool – especially when prioritising infection control – but whenever something so convenient becomes more popular, malicious actors are never far behind looking at ways to exploit it. It’s long been recommended that people look at a web address in email links before clicking on it, but QR codes have removed that level of protection – as malicious usage is harder to spot – and give bad actors the upper hand. 

 

It is important to remember how easily QR codes can be tampered with, so it’s always worth checking to see if they have been obstructed with a sticker. Shortened links equally offer limited protection. You can often find the genuine site by searching for it elsewhere or typing it in. However, if a perilous code ever takes you to a website that may not be as expected, the best advice is to kill the session immediately and refrain from entering any further information.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.