Nowadays it seems that there is a QR code for everything, and it is actually true. In the age of contactless, these little black-and-white symbols have emerged from relative obscurity to replace everything from restaurant menus to store coupons to subway station ads. They have become the ticket from
Len Noe, technical evangelist and white hat hacker at CyberArk Nowadays it seems that there is a QR code for everything, and it is actually true. In the age of contactless, these little black-and-white symbols have emerged from relative obscurity to replace everything from restaurant menus to store coupons to subway station ads. They have become the ultimate business card, the digital event pass and even a virtual payment option. Governments around the world have even adopted them to facilitate contact tracing and verification of the status of vaccinations. QR codes are accessible, easy to produce and, apparently, destined to remain. They are also a perfect way for cybercriminals to steal your personal information. Here's what you need to know before scanning that code with your smartphone. What is a QR code? Short for quick response codes, QR codes are a type of two-dimensional barcode that contains data, often a locator, identifier, or tracker. They can be easily read by a smartphone or other camera-equipped device and converted into useful information for the user, such as the URL of a website or application. QR codes were first invented in 1994 by an automotive company to track the components of a car, but their ease of use and increased storage capacity (up to 2,500 characters compared to 43 in a barcode) soon made them popular in other industries as well. But it wasn't until after COVID-19 that QR codes became so popular. 3 attack simulations with QR codes More than two years of cyber attacks in the pandemic era have made many users more cautious in their digital activities. Emails, calls, and even text messages are scrutinized carefully, forcing many attackers to step up their phishing strategies. Still, QR codes are not considered potentially dangerous, and most people scan them without a second thought. An example: In January 2022, the FBI sounded an alarm that hackers were tampering with legitimate QR codes to redirect victims to malicious sites that stole login and financial information. Within weeks of the superbowl, more than 20 million people scanned a single mysterious QR code in a single, unnamed company commercial in a minute. This is bad news, let's analyze three examples of attack: Example of attack with QR code number 1: search for jobs and forms to fill out To start, the hacker can create a fake advertisement for finding a job and leave these QR codes in different bars (as shown in the picture). The sheet contains the details of an event and a QR code – which seems truthful – that will lead the user to a portal to enter their data and apply for the open position . It is very easy for a hacker to create a fake job advertisement site to steal victims' information. The user will enter their data thinking that they will be shared with the human resources manager... instead they will go directly into the hands of a hacker. How many times have we happened to fill out an online form ? It is very difficult to understand where the answers will be sent, so it is essential to proceed with the utmost caution. Example of attack with QR code number 2: green pass or compromise of the phone? For a hacker the ultimate goal is to interact and take control of the victim's device. This can be done via a reverse shell attack, or "connect-back shell", which exploits vulnerabilities in the target system to start a shell session and gain access to the victim's device. In this attack example, we used metaSploit Meterpreter Shell to spoof the COVID Certificate application used abroad. By scanning the QR code, the victim is redirected to what looks like the Google Play store and tricked into installing the application. Too bad it's a "fake" Google Play...
After the user starts the installation, the attacker has a connection to the device. With this type of access, the hacker can log in at will to do anything from downloading call and SMS logs to taking photos with the camera. In other words, everything you can do on a phone, he could do it too. Disquieting? Absolutely yes. Easy to run for a hacker? Unfortunately, yes. Qr code number 3 attack example: the phishing attack you don't expect When you sit at the restaurant and see a QR code on the table, you're likely to scan it without thinking, expecting it to redirect you to the menu. But what if the same QR code was embedded in an email from a person you don't know? Will you be just as quick to scan it or will it make you think? The attackers bet you will not be so careful, and too often they are right. Here is a comparison between two QR codes. Can you notice the difference? One will take you to the menu of a restaurant's website, the other to the other side. Cyber criminals can clone a legitimate login QR code and turn it into a phishing website that looks almost identical to the real one, except for the different URL. When the victim scans the QR code, they are taken to a malicious site that uses the BeeF suite, giving the attacker control of the victim's device. The attacker now has access to multiple attack vectors and numerous ways to exfiltrate user data, such as current GPS location, device type, SIM card data, and other sensitive information. With some additional social engineering tricks, the attacker could go even further. Using spear-phishing on the device, it could spoof the password manager of the victim's device. After the victim enters the username and password, the attacker could access the user's entire password vault. That's it. QR code attacks are on the rise: 7 tips to defend yourself Last fall, the private key used to sign the European Union's Green Passes was reportedly leaked or counterfeited. Within a few days, fake green passes with QR codes signed with the stolen key were put on sale on the Dark Web. In China, scammers have been caught putting fake parking tickets on parked cars, complete with QR codes for easy mobile payment of fines. In the Netherlands, a QR code scam exploited a legitimate feature of a mobile banking application to scam the bank's customers, while in Germany, fake emails containing QR codes lured eBanking customers to malicious websites under the pretext of checking for updates to their accounts' privacy policies. In Texas, criminals took to the streets, pasting stickers with dangerous QR codes on the city's parking meters, tricking residents into entering their credit card information into a fake phishing site. Attacks on QR codes occur everywhere with an alarming frequency. Here are seven ways to protect yourself: 1. Do not scan! If something seems strange, do not scan the QR code. Go directly to the actual website. Any legitimate QR should have an associated URL that gives users the ability to navigate directly to the site. If it is missing, you need to be careful. 2. Slow down. Before scanning any QR code, ask yourself: do I know who put it? Am I sure it hasn't been tampered with? Does it make sense to use a QR code in this situation? 3. Carefully examine the URLs of QR codes. After scanning the QR, check the URL it directs to before proceeding. Does it correspond to the organization associated with the QR code? Does it look suspicious, or does it include strange spelling or typos? For example, in the Texas parking meter scam, part of the URL used was "passportlab.xyz," clearly not an official government site. You can also do a quick web search of the URL to confirm that the QR code is legitimate. 4. Look for signs of physical tampering. This is especially important in places where QR codes are commonly used, such as restaurants. If you notice a QR code sticker attached to a page above another code, it's good to be very skeptical. 5. Never download applications from QR codes. Attackers can easily clone and spoof websites. Always consult the official application stores of the device and download the applications from there. 6. Do not make electronic payments via QR code. It is better to use the native app or access the payment through the official website of the bank. 7. Enable multi-factor authentication (MFA). This will help protect sensitive accounts, such as banking, email, and social media apps. With another layer of authentication, a cybercriminal cannot access user data only with login and password. As for QR codes, the best advice is to always use common sense. If it were an email, would we click on any link? QR codes are becoming one of the phishing methods preferred by attackers and the same rules apply. Proceed with caution and apply the same security check that you use in the digital realm. Make a safe scan or, better yet, don't do it at all!
By Len Noe, technical evangelist and white hat hacker at CyberArk safety