How QR code ease of use has broadened the attack surface

In this interview with Help Net Security, Neil Clauson, Regional CISO at Mimecast, talks about the threats of QR code phishing, explains the vulnerabilities of such technology and how to make sure not to fall prey to such attack.

The pandemic has resurrected QR codes’ popularity, hence making them an interesting target for cybercriminals. How are they abusing this technology?

The pandemic has certainly accelerated the incredible increase of QR code use, and they are now being used for everything from viewing restaurant menus, to accessing information on pieces of mail, and even to check into COVID-19 testing and vaccination appointments.

QR codes are also increasingly being used by threat actors to try to trick victims into revealing sensitive information or deliver malware to their systems. Email is still a very common method, but no matter the delivery mechanism, QR code phishing can be used to steal user’s credentials, make (fraudulent) online payments, unlock encrypted voicemails, or even initiate phone calls!

In fact, the issue has become so prevalent and concerning that just last month the FBI issued a warning to Americans to be on alert for these types of attacks. Specifically, the FBI warned of QR code schemes intended to send unsuspecting victims to a malicious site where their login and sensitive financial information can be stolen. And in the case of QR codes being used as a form of payment, the FBI warned that cybercriminals can use tampered QR codes to redirect payments, stealing victim funds for their own personal use.

This is especially concerning given the fact that more people are using their work issued devices for personal use, which opens up an entirely new attack vector for cybercriminals.

What makes QR codes vulnerable?

A QR code can easily be embedded anywhere an image can: into the body of an email, as an attachment, printed onto a sticker, or in a website. And just like a malicious URL, they are designed to blend in and not make an unsuspecting user think twice before scanning it.

Legitimate QR codes are typically leveraged for their ease of use – you simply point your phones camera at the code and it’s instantly scanned taking you to the desired webpage. These codes seem so convenient on the surface (QR does stand for “quick response” after all) but that’s really what makes them so attractive as a threat vector. It’s easiest to trick someone when they aren’t suspecting it.

How can QR codes be used to execute a phishing attack?

A QR code’s ease of use is also what makes them so dangerous. For example, an end user may find an email in their inbox containing a malicious QR code. One scan of that code and suddenly the user is taken to a website asking them to provide credentials, install software, or worse.

What can be done to prevent such attacks?

Making sure employees are trained to question QR codes before scanning them is key to prevent these attacks. In general, any QR code in an email should be considered suspicious – a legitimate sender would have just sent the actual URL, and is most likely trying to circumvent URL scanning solutions, many of which do not currently analyze QR codes.

A strong, multi-layered set of security solutions will resist many types of cyber threats, but as always, end users are the final line of defense against clever attackers. Awareness training begins with teaching end users that QR codes can be used in phishing scams, and then giving them the skills to identify and report anything suspicious to their IT and Security teams. Those teams can be instrumental in early mitigation and recovery, before an issue becomes more widespread.

Human error can play a major role when it comes to all types of cyber threats and making sure employees are educated, aware, and thinking twice before clicking or scanning QR codes and links is key to preventing a successful attack.

How to be sure you are not dealing with a malicious QR code? Are there any telltale signs?

Again, any QR code that arrives via email is most likely suspicious. Always use your sound judgement in these situations – is this a “too good to be true” scenario? Is there some artificial urgency involved, trying to get you to “act quickly?” Does the website ask for any credentials or is it “out of context” (did you get an email about work on your personal email, or vice versa?) If it’s a printed QR code, does it look like a second image was “pasted over” the original?

For organizations, it’s especially important to implement a comprehensive employee awareness training program so that they’re aware of these “clues”, especially for those employees who may be using work issued devices for personal use. While naturally, they may not think of a QR code as a malicious attack vector, you can teach them of the dangers related to scanning a code, and just how costly that can be. And the entire organization’s security posture can be improved as a result.