FTC Issues Cybersecurity Warning for QR Codes

The US Federal Trade Commission recently issued a Consumer Alert titled, “Scammers hide harmful links in QR codes to steal your information,” in which it warns people to be cautious in their use of QR codes.

QR codes — short for “quick response” — are simply new and improved barcodes that can contain more information and can be read more quickly than the ordinary barcodes that you know from the supermarket. QR codes were initially developed back in 1994 as a way to track automobile parts. While they are still used for inventory tracking and other similar industrial purposes, they are now also widely used in consumer-facing applications, with users’ smartphones serving as scanners and a webpage link encoded in the QR code.

QR codes seem to be everywhere nowadays. The increase in their use was at least partially spurred by the Covid pandemic, like so many other aspects of life today: Instead of giving out paper menus or tablets, which may have been handled by many germ-laden hands, many restaurants took to displaying a QR code at each table so diners could open a link to the menu on their very own phones.

Parking lots also often use QR codes now as a way of directing people to a website where they can pay for parking.  And many video providers such as Apple TV and Prime Video use QR codes to make it easy for customers to log into their service from a new device. Scanning the code displayed on the device takes the user to a site where they can login to the service.

Marketers have also become enamored with QR codes and seem to be finding new uses every day. Examples recently seen in the wild include ads posted in a bar for ordering a taxi, targeting patrons who’ve drank too much to drive, and ads posted on a ski slope chairlift and virtually anywhere else that people are stuck idly waiting for a few minutes and are likely to have their phones at the ready.

Integrating QR codes in ads is a great marketing tactic for drawing people deeper into your content before they are distracted by other things. So, it makes sense that it did not take long for cybercriminals to want in on those clicks.

How QR Code Scams Work

Simple QR code scams do not bother with malware as such. Instead, the embedded link brings users to a bogus spoofed website where the user’s credentials or money can be stolen, or one which installs malware on the user’s device.

One technique that scammers use is to paste a QR code of their own on top of a legitimate sign, for example at a parking lot. The user scans the QR code, and instead of paying the owner of the parking lot, they make a payment to the scammer.

In some phishing or social engineering attacks, scammers will send a text or email with a QR code with some sort of hook to get users to scan the code. Generally, it is standard (but convincing) phish bait: Maybe they’ll claim they couldn’t deliver your package and need updated information from you, or that there is some kind of problem with your account, and it needs verification.

The site the QR code brings the user to may be a near clone of a legitimate site. Since many users are not yet as aware of QR code scams as they are of email phishing, they may easily fall victim by opening the link without closely checking the URL.

QR code attacks may also incorporate steganography, a technique for hiding encrypted data in images, files, or texts along with the explicit content. With steganography the object contains malware, it’s just encoded in such a way as to be virtually undetectable. So, for instance, while the QR code contains a link to a website, a password that activates malware on the site may be encrypted in the QR code as well.

Protecting Against QR Code Scams

The first line of defense against QR code scams and attacks is user awareness. Just as a user should know to look for things like typos in URLs that could be indicators of a malicious site, they should know to look for the same thing in links that QR codes open. They should adjust phone settings to check if the site should be opened and carefully examine the URL for typical warning signs before clicking “yes.”

However, we know that user training is inadequate as a defense against cyberattacks. A high percentage of trained users will still click through to a suspicious link – often not even stopping to check if it’s suspicious or not.

There are technological tools that can help. For devices managed by an enterprise IT team, Ericom’s Web Isolation can provide protection against QR code scams in two ways:

1. Policy-based controls can be used to ensure that sites that are not known to be safe open in “read only” mode, preventing users from “logging in” or entering credentials or personal information on a scam site.
2. Since browsing is via cloud-based Remote Browser Isolation, an infected site cannot install malware on the user’s device.

QR code scams are just one example of how cybercriminals leverage legitimate technology tools to steal user information or to install malware that will sneak past users. User vigilance alone is not enough to ensure cybersecurity. Contact us to learn more about our web and email security solutions.

---

Share this on:

---

About Mendy Newman

Mendy is the Group CTO of Ericom's International Business operations. Based in Israel, Mendy works with Ericom's customers in the region to ensure they are successful in deploying and using its Zero Trust security solutions, including the ZTEdge cloud security platform.