A QR code (short for Quick Response code) is a type of barcode that can be scanned by one’s smartphone camera. It stores data like text, URLs, or contact information in a machine-readable format.
When you point your smartphone camera at a QR code, the phone's software recognizes the pattern of black and white squares. It then converts the code into whatever data is encoded - usually a link, app download, contact, etc.
QR codes provide us with a quick and convenient way to pull up information on our mobile devices and we often scan QR codes without giving it a second thought. How often have you scanned a QR code at a restaurant so as to instantly view the menu?
QR codes are a great convenience but often, what we fail to realize is that convenience can often come with risk. QR codes are no different and now present a growing phishing risk known as “quishing”. Bad actors are now using fake QR codes as a weapon to steal data or distribute malware. In this post I will break down how quishing works and provide tips on how one can protect themselves from falling victim to this type of cyber-attack.
Weaponizing QR Codes
As previously stated, QR codes encode data as a scannable barcode and are a great convenience but this convenience makes it easy for attackers to create malicious QR codes that can redirect unsuspecting users to phishing sites.
Malicious actors print fake codes on flyers, advertisements, or stickers and post them in public areas. When an unsuspecting user scans the code, instead of the expected destination they are sent to a malicious phishing site, controlled by the attacker, and the victim gets tricked into entering credentials, downloading malware, or possibly opening a backdoor for their device to be taken over.
Here is a simple example of how a malicious QR code may be weaponized:
1. The attacker registers a domain name that looks similar to a legitimate site, like "amaz0n.com" instead of "amazon.com".
2. The attacker creates a phishing site at that domain impersonating the target brand (Amazon in this case).
3. The attacker generates a QR code that encodes a URL link to their fake domain. For example:
QR code ---> http://amaz0n.com
4. The attacker then prints this malicious QR code on a flyer or sticker and posts it in a public place. They may pretend to offer a discount or special offer to entice victims to scan it.
5. A user scans the code with their smartphone camera, expecting to visit the real Amazon site. But the QR code directs their browser to the fake site instead.
6. At the fake site, the user gets phished for login credentials or prompted to download malware disguised as a legitimate app.
Recent Real-World Examples
While QR code technology itself is decades old, weaponizing it for phishing appears to be a more modern attack method. One of the earliest documented quishing campaigns was observed in China in 2017 where malicious actors posted fake QR codes to steal login credentials from users of a digital payment platform Alipay. In 2018, security researchers identified malicious QR codes targeting cryptocurrency owners. The QR codes were weaponized to steal digital wallet private keys allowing attackers to steal the funds of the victim. And most recently, in September of 2023, The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warned of two recent phishing campaigns involving QR codes. the campaigns involved phishing emails impersonating IT departments indicating that the user could scan the QR code to initiate updates or maintenance of 2FA (two-factor authentication) allowing attackers to bypass a victim’s 2FA protection they had in place.
Staying Safe from Quishing
As in phishing attacks, the key defense when it comes to quishing is user awareness. Users need to use caution before scanning any QR code. Things once can do to protect themselves are:
· Examine the QR code and verify the source. Does the URL domain or app name seem legitimate?
· Search online for recent alerts about scams for that brand.
· Only scan codes directly from trusted sources like official brand ads or known establishments.
· Look out for typosquatting sites like amaz0n instead of amazon.
· Consider disabling automatic QR code scanning in your camera app settings or use a use a QR Code Scanner with Security Features. Some QR code scanner apps have built-in security features that can check URLs for authenticity and flag potential threats.
· Keep device software up-to-date and use a security app to block known malicious sites.
· Report Suspected Phishing. If you encounter a suspicious QR code or website, report it to relevant authorities or the organization being impersonated.
Conclusion
While QR codes offer speed and utility when used properly the convenience has unfortunately made them and ideal attack vector to take advantage of unsuspecting users. Being aware, vigilant, and utilizing common sense is key to avoid falling victim to this new type of attack and as quishing threats continue to rise “QR hygiene” will be crucial to avoid becoming a victim.