How attackers exploit QR codes and how to mitigate the risk

Attackers are taking advantage of the increased use of QR codes to steal sensitive information or conduct phishing campaigns. Here's what security teams and employees need to know.

Among the many technology impacts of the coronavirus pandemic is a rise in the use of QR codes. Naturally, bad actors are taking advantage of this opportunity and the vulnerabilities of this mobile technology to launch attacks. Security teams need to be on top of this threat.

A research report released by mobile security platform provider MobileIron in September 2020 shows that QR codes pose “significant” security risks for enterprises and end users. The company surveyed more than 2,100 consumers in the US and UK, and nearly half (47%) said they’ve noticed an increase in QR code use. That’s in large part because the codes make life easier in a world in which contactless transactions have become desired or required.

A majority of those surveyed, 84%, said they have scanned a QR code, with one-third most recently having scanned a QR code within the past week. Consumers have scanned codes at retail stores, restaurants, bars, and other establishments, and many want to see QR codes used more broadly as a payment method in the future.

At the same time, the report noted, more people are using their own unsecured devices to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work remotely. They’re also using their mobile devices to scan QR codes for everyday tasks, putting themselves and enterprise resources at risk, it said.

QR exploitation is simple and effective

Attackers are capitalizing on security gaps during the pandemic, the report says, and increasingly targeting mobile devices with sophisticated attacks. Users are often distracted when on their mobile devices, making them more likely to be victimized by attacks.

Attackers can easily embed a malicious URL containing custom malware into a QR code that could then exfiltrate data from a mobile device when scanned, the report says. They could also embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials.

“By their very nature, QR codes are not human readable. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective,” says Alex Mosher, global vice president at MobileIron.

Nearly three-quarters of those surveyed in the study can’t distinguish between a legitimate and malicious QR code. While most are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate, the report said.

Mobile device attacks threaten both individuals and businesses, Mosher says. “A successful attack on an employee’s personal mobile device could result in that individual’s personal information being compromised or financial resources being depleted, as well as sensitive corporate data being leaked,” he says.

How attackers exploit QR codes

What can make QR code security threats especially problematic is the element of surprise among unsuspecting users. “I’m not aware of any direct attacks to QR codes, but there have been plenty of examples of attackers utilizing their own QR codes in the course of attacks,” says Chris Sherman, senior industry analyst at Forrester Research.

“The main issue is QR codes can initiate several actions on the user’s device, such as opening a website, adding a contact, or composing an email, but the user often has no idea what will happen when they scan the code,” Sherman says. “Normally you can view the URL before clicking on it, but this isn’t always the case with QR codes.”

A common attack involves placing a malicious QR code in public, sometimes covering up a legitimate QR code, and when unsuspecting users scan the code they are sent to a malicious web page that could host an exploit kit, Sherman says. This can lead to further device compromise or possibly a spoofed login page to steal user credentials.

“This form of phishing is the most common form of QR exploitation,” Sherman says. QR code exploitation that leads to credential theft, device compromise or data theft, and malicious surveillance are the top concerns to both enterprises and consumers, he says.

If QR codes lead to payment sites, then users might divulge their passwords and other personal information that could fall into the wrong hands. “Many websites do drive-by download, so mere presence on the site can start malicious software download,” says Rahul Telang, professor of information systems at Carnegie Mellon University's Heinz College.

“Mobile devices in general tend to be less secure than laptops or computers,” Telang says. “Since QR codes are used on mobile devices, [the] possibility of vulnerability is higher too.” Because many of these mobile devices are used within the context of enterprise IT, the infiltration of the devices can become a security weak point for organizations, he says.

Recently the CEO of a British technology company warned the UK government about potential serious flaws in the security of personal information and data used in a new contact tracing app that relies on QR code scanning technology. The technology can be subject to a process called “attagging” or cloning, according to Louis James Davis, CEO of VST Enterprises. With attagging, a genuine QR code is replaced by a cloned QR code that redirects users to a similar website where personal data can be intercepted and breached.

How to mitigate the risk of QR code exploits

Individuals and organizations can take steps to help mitigate the risk of QR code security threats. Some of this involves using common sense.

For example, users can make determinations about the legitimacy of codes prior to scanning them. Before scanning a code, especially one on printed material in a public place, make sure it hasn’t been pasted over with a different—and potentially malicious—code,” Mosher says.

In fact, it’s best not to use QR codes that look to be altered in any way, Sherman says.

In addition, “pay attention to the URL you’re being directed to, although this is not always possible to do before visiting the site, as some codes won’t show the URL beforehand,” Sherman says. “Never log into an app using a QR code.”

Because phishing attacks are among the more significant risks with QR codes, users need to be vigilant in making sure they are on a legitimate site, Telang says. “Enterprises have to be careful and should have a unified endpoint solution that gives them [the] ability to secure every device without affecting productivity,” he says.

It’s also critical to have device security such as mobile threat defense and exploit protection on all devices used to access corporate resources, Sherman adds.

Another good practice is to make sure the organization presenting any QR codes to the public is legitimate. “If the source of the QR code seems sketchy, don’t scan,” Mosher says. It’s best to avoid URLs that differ from the legitimate URL of a company, especially if it redirects a user to a different site, he says.

In general, cybersecurity and IT teams—and enterprises as a whole—need to be aware of the risks involved with QR codes. That’s especially true with the increasing use of mobile devices and apps.

“Use of mobile has become much more prevalent, especially during this pandemic,” Telang says. “Add this to the fact that QR code use has exploded as well. It is natural that unscrupulous hackers will try to take advantage of both these facts.”

Copyright © 2020 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations