QR code safety: Is there malware in that QR code?
QR code safety: Is there malware in that QR code?
Note: This feature was first published on 24 February 2022 and is re-published now as it's still relevant.
Living with QR codes safely
We scan QR codes without thinking. Whether we’re doing a Safe Entry check-in, at a restaurant looking to get the menu, logging into SingPass, or trying to make a digital payment, QR codes have become something we regularly use in Singapore.
But, there are a number of security risks associated with QR codes.
Do we really know what we’re scanning with our smartphones? Do you know that like computers, QR codes can be compromised and house malware?
Phishing or 'QRishing' as some call it is when a person is redirected to a phishing website by a malicious QR code. Another attack is redirecting a user to a malicious website to try to install malicious apps and then exploit that device. Infected devices could be made to join a botnet, leak data, or can send SMS to premium numbers.
As recently as this week the Singapore Police Force (SPF) released a warning to the public on scammers misleading Singaporeans into scanning SingPass QR codes and unknowingly granting them access to the person’s digital services.
So how are QR codes compromised? How do you know if the QR code you’re scanning is safe? What are some basic steps to take to prevent being compromised by these malicious QR codes?
We did six questions with Peter Craig, Director of Cybersecurity Product Marketing, at security company HUMAN to find out more and have added on a few suggestions too.
1) How are QR codes exploited for fraud? How would someone know if they are scanning a compromised QR code? Can they also be used to install malware? Should we deny any link that uses Bitly URL shortener?
QR codes can be exploited for fraud and, unfortunately, it is virtually impossible for a person to visually check a QR code for compromise before scanning it with their smartphone's camera. QR codes can be modified and embedded with a link to a site containing malware or the attacker can simply paste their QR code over the real code to trick the unsuspecting user.
Bitly is a URL shortening service that has been exploited by scammers to hide the real destination of links. As a QR code is designed to save you the time required to type a URL into your browser, using Bitly with a QR code seems suspicious.
The good news is that the QR scanners included with most smartphones display the site URL before launching the site, allowing the user to disregard the link if it looks suspicious or is shortened. The Singapore government GovTech team has recently released an official government URL shortener, go.gov.sg, to reduce the likelihood of phishing URLs being used for important services.
Furthermore, free tools that help you detect malicious QR codes, that you can install on your phone, are available from many anti-malware vendors. For example, Sophos Intercept X (formerly known as Sophos Mobile Security) is one of them.
2) How serious can these types of fraud be? What forms of attacks can be hidden in a QR code? For example, phishing, identity theft, redirection to a malicious site etc.
If cybercriminals can trick you into visiting their site using a QR code, this can trigger your phone to download Java-based malware in the background without you even noticing. With your device now compromised, the malware can open backdoors to allow additional malware to be loaded or steal personal information and send it to the attackers for identity theft or resale on the Dark Web.
Cybercriminals can launch a ransomware attack that keeps your data unusable until you pay the ransom. Malware can also be used to access the device’s location or steal your contact list, track your location or open your webcam to spy on you.
QR codes can also be used in phishing attacks where the fake QR code links to a legitimate-looking website that tricks the user into divulging personal details, again, to be sold on the Dark Web or used in identity theft. More sophisticated again, is QRLjacking where criminals hijack a web application’s QR-code-as-login feature, convincing victims to scan their fake QR code rather than the real code, enabling the criminal to gain complete control over the victim’s account.
3) QR Codes are used extensively in Singapore, especially on applications such as Singpass. Given that most Singpass QR codes are generated within the app, is it still a risk? Or are third parties still the greatest risk?
Third-party QR codes are the greatest risk to consumers and businesses. The Singapore GovTech team has done an excellent job in securing the Singpass app, which is vital considering the nature of the information involved. Singpass has stringent security measures in place and always checks QR code legitimacy and validity before you authenticate. Even so, it always makes sense to be security-aware and check that the website URL stated on the confirmation page on the app matches the URL in your web browser address bar.
4) Why is this method of attack so appealing to cybercriminals?
Cybercriminals will try anything to get their hands on your data and money. Almost everyone has a smartphone today and criminals like scale. It’s a numbers game. Even if they can trick a small percentage of the large number of QR code-using Singapore public to divulge their data, they win.
5) How can organisations defend themselves against these types of attacks? For example, 2FA is already being used on some sites following the QR code scan. Is more protection needed?
Adding 2FA to the authentication process makes using QR codes to log in to applications a more secure process. There is absolutely a place for 2FA, but one downside to 2FA is that it adds friction to the user experience. Solutions from HUMAN Security, for example, can help secure your web application accounts and prevent personal information harvesting while lowering the friction that comes with 2FA.
6) Can we expect to see attacks like this occurring in Singapore?
QR codes are widely used in Singapore. People are familiar with the technology and trust it. It’s likely that cybercriminals will try to exploit this trust. The right security technology combined with public security awareness is the answer to preventing attacks. Combatting QR code fraud needs to be a joint effort using the resources of government, businesses and the cybersecurity community.