QR codes are everywhere.
They open many doors, unfortunately for everyone.
During Superbowl commercials, national TV displayed a QR code for 15 seconds. That was when I realized how ubiquitous they are and how easy it is for people to scan them without thinking twice.
When it started
QR code was invented in 1994 by Masahiro Hara, chief engineer of Denso Wave, a subsidiary of Toyota. The initial purpose of the invention was to track vehicles and parts moving through the manufacturing process.
How is going
Nowadays, this type of barcode is easily readable with digital devices like smartphones, either in restaurants when you want to view the menu, buy tickets for concerts, or check more details on products in stores.
What are they?
The quick response code is a two-dimensional version of the barcode that stores up to 7089 digits or 4296 characters, including punctuation marks and special characters. Though looking like a pixelated image, each one of those squares is a marker serving a more significant function in the information-sharing capabilities of the code. The code can equally encode words and phrases such as internet addresses.
Are you aware?
Because you can create QR codes for any website, this could easily represent an Attack Vector for malicious purposes. How often do you check a QR code's landing website when visiting a restaurant? I guessed so.
Scenario
It's Friday night, and you have just entered your favorite sushi bar. You have been seated at your favorite table, and you notice a quick response code on the table. You quickly grab your phone out of your pocket to scan it because you are hungry. When you open the scanned link, you are landing on a website that looks like a usual restaurant page, and you are too focused on the button saying: "Click to open menu" instead of noticing that the website URL has a suspicious name like "sushiIsMadeFromPhish[.]com". After clicking the button, you are amazed to see that no menu has loaded and the game is already over. The attacker reached his goal, you sent a request, and you could be a target of a browser hijacker, adware, or redirected to download some malicious APKs on your device.
If anyone argues that this is an unrealistic scenario, let's think about how easy it would be for someone to stick a malicious code over a legitimate one. If the restaurant scenario does not convince you, how about some fake advertising fliers shared in crowded areas?
What could go wrong?
QR codes possibilities are unlimited so are the malicious ones; below, I will enumerate a few of them:
Browser hijacker
You can be the lucky receiver of malicious software. A browser hijacker is a "form of unwanted software that modifies a web browser's settings without the user's permission." The result is the placement of unwanted advertising into the browser and possibly replacing an existing home page or search page with the hijacker page. The idea is to make users visit certain websites whether they want to or not, so the hijacker enjoys higher advertising revenue. Browser hijackers may also contain spyware to obtain banking information and other sensitive data.
Downloading APKs
The QR might link you toward APK files, which could have hidden malware or trojans that get activated in specific circumstances. This malware could steal information from your device and generate revenue by sending premium SMS texts. Anatsa is one of the most popular banking trojans used by attackers to steal usernames and passwords and uses accessibility logging to capture everything shown on the user's screen. At the same time, a keylogger records all information entered into the phone.
Last year, over 300,000 Android users downloaded banking trojan malware apps. As a fun fact, QR reader applications delivering the malware was one of the most popular methods.
Adware
You can infect your phone with adware; thus, your display will be filled with annoying add pop-us, generating revenue for the malicious actors.
Raising Awareness
Cyber security has become a wild playground with multiple toys available for attackers to compromise users and companies. That's why it is vital to sound the alarm, warn everybody about the hottest trends, and prevent any loss. FBI warned Americans last month that cyber-criminals use QR codes to steal their credentials and financial info.
Conclusion
Quick Response code is great, very useful, and the possibilities with it are unlimited. I did not write the post to discourage readers from using it but only to emphasize that it is essential to double-check the final URL where the code is redirecting you. Being careful can save you trouble.
Resources
