The risk with using QR codes and how to use them mindfully

Author Moonshot.news

Published on: 02/10/2021

The use of QR codes has likely spiked during the pandemic. They are not inherently unsafe, but they could be open to exploitation by cyber attackers, according to Anna Chung, principal cybersecurity researcher at Palo Alto Networks, writing for The Next Web.

She says Paolo Alto Networks have  observed cybercriminals in underground online forums discussing ways to abuse QR codes and target the everyday consumer.

“We also found open-source tools and video tutorials offering training on how to conduct attacks by using QR codes.”

PRECAUTIONS

To the naked eye, there is no way to tell if a QR code is being abused by cybercriminals, but there are many precautions one can take to avoid falling victim.

“Being used as a key tool for reducing touchpoints and contact tracing throughout the pandemic, enabling convenient and contactless data sharing. They are not inherently unsafe, but they could be open to exploitation by cyber attackers.”

They provide instant access to information such as websites and contact information. Users can login into a Wi-Fi network without a password.

REDIRECTING

“These codes could offer an entryway to potential cyber-attacks because they don’t provide visibility into the webpage, application etc. behind them. Instead, they automatically redirect users to webpages, app stores to download apps, make payments and more which provides cybercriminals with opportunities to insert themselves into the process”.

“During the pandemic, Unit 42, the threat intelligence team at Palo Alto Networks, has observed cybercriminals in underground online forums discussing ways to abuse QR codes and target the everyday consumer. We also found open-source tools and video tutorials offering training on how to conduct attacks by using QR codes.”

ALTERNATIVES

Chung says there are several ways cybercriminals could leverage QR codes.

One method would be to hack into a business’s website and replace the QR code with their own. With QR codes looking so similar, a swapped code would be incredibly hard to spot.

“Scanning this code could automatically route unsuspecting consumers to a phishing URL, where cybercriminals could request user credentials and then take control of email or social media accounts for example.”

It could also lead users to a less legitimate app store where they might unknowingly download a malicious app.

Another cybercriminal technique is a honeypot. “Threat actors could set up an unsafe Wi-Fi network promising free internet to anyone that scans their QR code. Once a device is connected, hackers can eavesdrop or intercept the data being shared, and steal personable identifiable information, confidential business information, online banking credentials, and credit card information.”

PRECAUTIONS 

Chung says business owners and IT administrators need to carry out regular integrity checks on their sites and apps to ensure the code and link they are providing is what they intend.

Employers should also provide personnel with cybersecurity training to make them aware of the risks to the organisation as well as themselves. These include using strong and unique passwords for both personal and work accounts, setting up multi-factor authentication, and identifying phishing emails as well as unsafe virtual environments.

TAKEAWAYS 

“We’ve all been taught to ‘think before we click’ on a suspicious link or email, but now it’s time to revisit this for QR codes – so think before you scan”.”

Make sure you only download apps from trusted sources such as Apple’s App Store or Google Play Store too. And continuously update all smart devices to benefit from the latest security protections.”

Her key takeaways:

1. Think before you scan
2. Check after you scan
3. Be aware and alert