QR code malware: Keeping yourself and your family safe
QR code malware: Keeping yourself and your family safe
*This article follows-on from our earlier interview on QR code malware with Peter Craig, Director of Cybersecurity Product Marketing at HUMAN.*
QR codes have been in the news quite a lot recently. Warnings from the Singapore Police Force, to complaints of malware, we’ve been hearing the problems the compromised QR codes can cause.
The scanning of QR codes has become second nature thanks to Covid-19. With the need to scan safe entry codes, using QR codes for SingPass access, and using them to get menus at restaurants, we scan QR codes without any second thoughts.
Peter Craig, Director of Cybersecurity Product Marketing at HUMAN, says that unfortunately, it is virtually impossible for a person to visually check a QR code for compromise before scanning it with their smartphone’s camera. “QR codes can be modified and embedded with a link to a site containing malware or the attacker can simply paste their QR code over the real code to trick the unsuspecting user,” he said.
And, according to Vicky Ray, Principal Researcher, Unit 42 at Palo Alto Networks, given consumers might not think twice when scanning an unfamiliar QR code, we are prime targets for cybercriminals.
But how bad can compromised QR codes really be? Well, according to experts, compromised QR codes can do several things.
If cybercriminals can trick you into visiting their site using a QR code, your smartphone could be triggered to download java-based malware in the background without you even noticing. With your device now compromised, the malware can open backdoors to allow additional malware to be loaded or steal personal information and send it to the attackers for identity theft or resale on the Dark Web.
Cybercriminals can launch a ransomware attack that keeps your data unusable until you pay the ransom. Malware can also be used to access the device’s location or steal your contact list, track your location or open your webcam to spy on you. QR codes can also be used in phishing attacks where the fake QR code links to a legitimate-looking website that tricks the user into divulging personal details, again, to be sold on the Dark Web or used in identity theft. More sophisticated again, is QRLjacking where criminals hijack a web application’s QR-code-as-login feature, convincing victims to scan their fake QR code rather than the real code, enabling the criminal to gain complete control over the victim’s account.
Hackers may embed QR codes in phishing emails, with the aim of luring employees to malicious websites. Unsuspecting employees may be tricked into divulging confidential information about themselves and the company. QR codes could also contain links to malware. Once downloaded onto corporate devices, such malware could lead to compromised systems, data theft, and long-term damage.
Malicious QR codes can perform several operations on a user’s device such as adding contacts or writing emails. This can be misused especially if the corporate network is already compromised.
Scammers may also switch out legitimate QR codes used by businesses in digital payments for fake QR codes. This can cause business owners to lose revenue when the payment is not made to the right party. Moreover, businesses may suffer reputational damage and a loss of trust when their customers fall prey to such scams.
Protection from QR malware
Ray says that while there is no certain way to tell if a QR code is being abused by cybercriminals, there are precautions consumers can take.
- Consumers should scan a QR code only if it is from a trusted source and preview the website and domain name to ensure that it is where they expect to be directed. Many secure QR code scanning apps allow users to preview websites before they visit them.
- Certain browsers also allow users to disable automatic redirects to unknown websites, enabling individuals to double-check the URL domain before deciding if it is trustworthy.
- Users should also be sure to download apps only from trusted sources such as Apple’s App Store or the Google Play Store. On top of that, they should continuously update all smart devices to benefit from the latest security protections.
- Craig added that for people worried about shortened URLs, the QR scanners included with smartphones display the site URL before opening, allowing the user to close the link before it opens, if it looks suspicious or is shortened.
The Singapore government GovTech team has recently released an official government URL shortener, go.gov.sg, to reduce the likelihood of phishing URLs being used.
In time to come
But can we expect an evolution of this form of threat and what can we do to protect ourselves and those most at risk of falling for it?
Ray says that we’ll likely see a rise in cybercriminals’ attempts to use QR codes for their nefarious gains. Cybercriminals may grow more brazen in their approach and become more confident in their attacks. Cybercriminals are likely to abuse QR codes for various phishing campaigns. “We may also see specialised groups emerging with the goal of launching more sophisticated attacks that are greater in scale,” he said.
Craig warns that combatting QR code fraud needs to be a joint effort using the resources of government, businesses and the cybersecurity community.
He added that the right security technology combined with public security awareness is the answer to preventing attacks.