Scan It! – QR Codes

My “Back-to-Basics Phishing Email Primer” mini-series finished yesterday over on Smart Thinking, and reviewing the project as I was writing my concluding chapter, I saw that several of the phishing emails featured used QR codes as bait in their traps. Today we are going to briefly look at how the QR code – that is everywhere – can be subverted easily by threat actors.

First, why QR codes?

Marketing and web designers love them and so upsell them to clients at every opportunity and why not, I use one – here. Rather than having to type my contact details into your phone, scan them in. QR codes are popular as they save the user having to type something, reducing errors and ensuring that the sales message, vCard, website etc. gets through. The QR code started as just a way to pass on a URL, but now it has morphed into a universal way to transfer various types of information including, location, event, Bitcoin, MP3s, email, phone numbers, feedback, app store etc.. (QRCode Monkey, 2024)

Of course it took no time at all for the threat actors to start to subvert QR codes.

The easiest QR scam…

Swap a publicly accessible QR code for a malicious one. This happened to one of our clients, who had a QR code in their window. A local band stuck their own code, promoting a concert, over the legitimate one. Now this was annoying rather than a cyber crime, but it could just as easily have taken the victim to a spoof website, “selling tickets” and stealing information. (Kan, 2022)

QR codes as bait…

There is something about a QR code that is enticing, you want to scan it and see what you get. This is one of the reasons that they are appearing more and more in phishing emails. They make good bait, especially when endorsed by DocuSign.

Scan It! – QR Codes Cyber Awake

In this one special case – this is a phishing email QR code that you should scan with your phone.

Defending against malicious QR codes

This is one cyber security defence that is basically common sense. If a QR code is on a sticker be very scared. When printed on your crisp packet, or on the menu of your local takeaway restaurant you are pretty safe. As a business or organisation you should take care where you use QR codes and keep an eye on them to make sure sticker hacker has not been visiting.

Next…

I am having a break next week, see you in two weeks.


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

QRCode Monkey. (2024). Free QR Code Generatorhttps://www.qrcode-monkey.com/#more

Kan, M. (2022). FBI: Hackers Are Compromising Legit QR Codes to Send You to Phishing Sites. PCMag UK. https://uk.pcmag.com/security/138235/fbi-hackers-are-compromising-legit-qr-codes-to-send-you-to-phishing-sites

Further Reading

Phishing Email – It is about time we looked at some… (pt.8)

Phishing Emails are happening right now! (pt.11)

Featured photo by Pixabay