QR Codes

Executive Summary

QR codes offer a convenient mechanism to distribute information for benefic and malefic purposes. Malicious QR codes can distribute malware and steal sensitive information. Threat actors have developed techniques to bypass text and image-based detection methods. As a best practice, users remain vigilant with QR codes to minimize their attack surface with this vector.  Best practices include vetting urls, avoiding unknown codes and abstaining from using this technology to enter sensitive information. Antimalware that has both image and text-based detection is more effective for code analysis than using either image or text detection alone.

Background

Many businesses and organizations use Quick Response, or QR, codes to connect users to information [3]. These codes are used for event ticketing, restaurant menus and airline boarding passes [4]. They became even more widespread as a result of the Covid-19 pandemic as a means to reduce the spread of germs through physical contact [5].  When a user scans a QR code, they are most commonly redirected to a url. 

This attack vector can be used to launch malware, redirect users to malicious websites, or harvest credentials or other sensitive information [1].  When combined with other techniques, credibility can be enhanced. For example, attackers can use legitimate platforms to host malicious information [2]. If a target uses Microsoft 365 to interact with a malicious page that is hosted on Microsoft Sway, they are less likely to question the validity of the code. Once the code is visited, it can steal the user’s credentials via the system’s single-sign-on technology.

There are two main dynamics at play that make QR codes a good vector choice for threat actors: convenience and covertness. These codes provide a convenient way to bypass antimalware technology. Mobile environments are less secure than those of standard computers. An email server or desktop may filter out malware, but a mobile phone is unlikely to have such protections. Over time people have become accustomed to receiving and vetting scam phone calls, texts and paper and electronic mail. They may not necessarily carry the same reserve for QR codes.  Since the technology is fairly recent, the general population may simply not have acclimated to the need to use discretion. 

As the cyber community works to develop QR code malware detection technology, threat actors work to stay ahead. For example, antimalware focuses on image detection. Since these codes were traditionally image-based, this was a good antimalware strategy.  However, threat actors began shifting from images to Unicode. This type of code is unlikely to be detected visually or via image-based QR malware analysis.  Standard computer based email users must still remain vigilant as image-based codes may be able to bypass standard email antimalware that focus on text scans. 

Impact

QR code usage is widespread in many service environments. This provides attackers with numerous opportunities. In the first 14 days of 2024, Check Point Software Technologies found 20,000 phishing cyberattacks that involved QR codes. Attackers can easily stick fraudulent QR codes on legitimate media or use reputable platforms to exploit user trust.

Mitigation

Users must use discretion when interacting with QR codes.  It is a best practice to always verify the validity of QR codes with the original publisher to ensure that the code has not been tampered with. Any code of unknown origin should be strictly avoided. Smartphones usually give a preview picture of a code before website redirection. At that step, users should examine the code for any recognizable oddities. Users should also examine the url before visiting, even if QR antimalware has scanned the code. Threat actors can use typosquatting to create a website name that looks similar to a legitimate website to trick users into visiting a domain. Additionally, sites that use https in the address are more secure than http. As with any social engineering attack, users can mitigate scams by avoiding giving or entering any sensitive information to any entity connected via redirection even if the website looks legitimate.

Relevance

QR code usage online and offline provides a convenient mechanism to distribute information for benefic and malefic purposes. This information is just as convenient for intended users as it is for attackers. This attack vector tends to be designed to establish a high degree of credibility which can easily be trusted.  Users must remain vigilant regardless of the apparent credibility of QR codes in order to protect their information and devices.

References

[1] Ahmed, D. (2024, August 27). New Unicode QR Code Phishing Scam Bypasses Traditional Security. HackRead. https://hackread.com/unicode-qr-code-phishing-scam-bypasses-security/

[2] Lakshmanan, R. (2024, August 28). New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials. The Hacker News. https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.html

[3] Majestic, M. (2024, February 22). Protecting Yourself from QR Code Fraud. Social Security Administration. https://blog.ssa.gov/protecting-yourself-from-qr-code-fraud/

[4] Puig, A. (2023, December 6). Scammers hide harmful links in QR codes to steal your information. Federal Trade Commission Consumer Advice. https://consumer.ftc.gov/consumer-alerts/2023/12/scammers-hide-harmful-links-qr-codes-steal-your-information

[5] Stathis, J. (2024, October 7). How to Spot a Fake QR Code and Avoid Getting Scammed. Reader’s Digest. https://www.rd.com/article/fake-qr-code/