Feature Articles

QR code malware: Keeping yourself and your family safe *Updated*

By Ken Wong - 20 May 2023

QR code malware: Keeping yourself and your family safe

Note: This article was first published on 30th May 2022, and is now updated for relevancy and with a more recent QR code scam incident.

We scan QR codes with hardly a thought these days. Image source: Unsplash.

*This article follows-on from our earlier interview on QR code malware with Peter Craig, Director of Cybersecurity Product Marketing at HUMAN.*

QR codes have been in the news quite a lot recently. Warnings from the Singapore Police Force (SPF) to complaints of malware, we’ve been hearing the problems the compromised QR codes can cause.

The SPF recently reported on the case of a 39-year-old man arrested for his suspected involvement in a series of fraudulent QR codes that were disguised as the OneService Lite QR code and were pasted at the Bukit Batok estate to obtain personal particulars.

The scanning of QR codes has become second nature thanks to Covid-19. With the need to scan safe entry codes, using QR codes for SingPass access, and using them to get menus at restaurants, we scan QR codes without any second thoughts. 

Peter Craig, Director of Cybersecurity Product Marketing at HUMAN, says that, unfortunately, it is virtually impossible for a person to visually check a QR code for compromise before scanning it with their smartphone’s camera. “QR codes can be modified and embedded with a link to a site containing malware or the attacker can simply paste their QR code over the real code to trick the unsuspecting user,” he said.

And, according to Vicky Ray, Principal Researcher, Unit 42 at Palo Alto Networks, given consumers might not think twice when scanning an unfamiliar QR code, we are prime targets for cybercriminals.

 

QR compromised

Image source: Singapore Police Force

But how bad can compromised QR codes really be? Well, according to experts, compromised QR codes can do several things.

If cybercriminals can trick you into visiting their site using a QR code, your smartphone could be triggered to download Java-based malware in the background without you even noticing. With your device now compromised, the malware can open backdoors to allow additional malware to be loaded or steal personal information and send it to the attackers for identity theft or resale on the Dark Web.

Redirection to a scam survey site. Image source: Singapore Police Force.

Cybercriminals can launch a ransomware attack that keeps your data unusable until you pay the ransom. Malware can also be used to access the device’s location or steal your contact list, track your location or open your webcam to spy on you. QR codes can also be used in phishing attacks where the fake QR code links to a legitimate-looking website that tricks the user into divulging personal details, again, to be sold on the Dark Web or used in identity theft. More sophisticated again, is QRLjacking where criminals hijack a web application’s QR-code-as-login feature, convincing victims to scan their fake QR code rather than the real code, enabling the criminal to gain complete control over the victim’s account.

Hackers may embed QR codes in phishing emails with the aim of luring employees to malicious websites. Unsuspecting employees may be tricked into divulging confidential information about themselves and the company. QR codes could also contain links to malware. Once downloaded onto corporate devices, such malware could lead to compromised systems, data theft, and long-term damage.

Double-check the domain URL. Image source: Singapore Police Force.

Malicious QR codes can perform several operations on a user’s device such as adding contacts or writing emails. This can be misused especially if the corporate network is already compromised.

Scammers may also switch out legitimate QR codes used by businesses in digital payments for fake QR codes. This can cause business owners to lose revenue when the payment is not made to the right party. Moreover, businesses may suffer reputational damage and a loss of trust when their customers fall prey to such scams.

 

Protection from QR malware

Vicky Ray, Principal Researcher, Unit 42 at Palo Alto Networks. Image Palo Alto Networks.

Ray says that while there is no sure way to tell if a QR code is being abused by cybercriminals, there are precautions consumers can take.

  • Consumers should scan a QR code only if it is from a trusted source and preview the website and domain name to ensure that it is where they expect to be directed. Many secure QR code scanning apps allow users to preview websites before they visit them.
  • Certain browsers also allow users to disable automatic redirects to unknown websites, enabling individuals to double-check the URL domain before deciding if it is trustworthy.
  • Users should also download apps only from trusted sources such as Apple’s App Store or the Google Play Store. On top of that, they should continuously update all smart devices to benefit from the latest security protections.
  • Craig added that for people worried about shortened URLs, the QR scanners included with smartphones display the site URL before opening, allowing the user to close the link before it opens if it looks suspicious or is shortened.

The Singapore government GovTech team has recently released an official government URL shortener, go.gov.sg, to reduce the likelihood of phishing URLs being used.

The SPF reminded members of the public to remain vigilant when accessing websites and to always check the authenticity of the website before providing any personal details. In the case of the OneService Lite QR code fraud, the SPF adds that all OneService feedback channels, including OneService Lite, are also designed to work without feedback providers having to provide any personally identifiable information. 

 

In time to come

Peter Craig, Director of Cybersecurity Product Marketing, HUMAN. Image source: HUMAN.

But can we expect an evolution of this form of threat, and what can we do to protect ourselves and those most at risk of falling for it?

Ray says we’ll likely see a rise in cybercriminals’ attempts to use QR codes for their nefarious gains. Cybercriminals may become more brazen in their approach and more confident in their attacks. Cybercriminals are also likely to abuse QR codes for various phishing campaigns. “We may also see specialised groups emerging with the goal of launching more sophisticated attacks that are greater in scale,” he said.

Craig warns that combatting QR code fraud needs to be a joint effort using the resources of government, businesses and the cybersecurity community.

He added that the right security technology combined with public security awareness is the answer to preventing attacks. 

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.