Hackers Tampering with QR Codes To Steal Money – FBI Warns!!

“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes.” – FBI warns about malicious QR Codes

From making contactless payments on mobile payment apps and viewing paperless menus to contact tracing Covid-19 cases, QR (Quick Response) codes are everywhere and in popular usage. This ubiquity and convenience have also made QR codes popular and lucrative targets for cybercriminals who leverage malicious QR codes to illegally gain access to confidential information, spread malware, or steal money.

With QR code exploits rising, businesses and users must protect themselves against malicious QR codes.

How Do Cybercriminals Use Malicious QR Codes?

QR codes, functioning similarly to barcodes, are square configurations of black and white squares contained within a larger square to store encoded data. QR codes are easier to scan and read than barcodes. QR codes can be read using a smartphone camera, provide quick and easy access to a website, direct payment to a recipient, prompt to download an app, link to a PDF file, and so on.

QR codes, by themselves, are secure and cannot be directly attacked. However, it is extremely easy for attackers to generate their malicious QR codes. They could tamper with digital and physical codes to replace legitimate ones with malicious QR codes. They could tamper with the pixelated dots using online tools so that an average user may not notice the difference in the code.

Attackers can also embed a malicious link containing malware into a QR code. So, when the unsuspecting victim scans the QR code, it automatically downloads and activates malware in their device. Or the malicious QR code may redirect them to a phishing website where the attacker may coax the user into doing their bidding.

Types of Threats that Leverage Malicious QR Codes

• Replacing legitimate codes in public spaces or unattended codes in shops with malicious codes
• Quishing or QR-code-based phishing attacks
• QRL-jacking or QR-based-clickjacking attacks
• Email-based QR code phishing attacks

What Can Organizations Do to Protect Against Malicious QR Codes?

Secure All Devices with a Robust Security Solution

With the rise of remote working and BYOD, employees often use personal devices and smartphones to access corporate networks and resources. So, suppose an employee were to download malware or share login credentials on a fake website after scanning a malicious QR code. In that case, you are leaving your corporate resources open to attacks.

To avert this, you need to ensure all devices, including BYOD, are protected with a robust, intelligent, multi-layered, and fully managed security solution like AppTrana. Such a solution regularly scans, detects, and stops advanced malware and other complex attacks. They can further tune the solution to block unauthorized downloads, repetitive login requests, and other activities.

Leverage Content Filtering

Most QR code attacks redirect users to malicious websites or make them download malicious attachments/ files. For effective QR code protection, you must leverage a security solution that can inspect links and attachments and block access to those containing malware or suspicious content.

Implement Multifactor Authentication

Often, attackers use malicious QR codes to get unsuspecting victims to share passwords and login credentials. By implementing multifactor authentication, you can reduce the reliance on passwords alone for protection and thwart a wide range of attacks that exploit stolen passwords and login credentials.

Enforce Strong Access Controls

By implementing robust, role-based access control policies, you can minimize the extent of damage attackers can cause after stealing login credentials.

Other Important Measures for QR Code Protection

• Keep all devices updated
• Segment and create separate containers for BYOT devices
• Keep educating users who need to understand how to use QR codes safely

What Organizations Should Do for Point of Use/Sale QR Code Protection?

Customize QR Code

Brands should incorporate their unique branding elements into QR code design and templates so that it matches your landing page. Also, include a custom brand domain or company domain name in your QR code, if possible. This increases user confidence in using the QR code. Partner with certified, secure, and compliant QR code solution providers in customizing and creating QR codes.

Use EV SSL

Making sure your website linked to the QR code is strongly encrypted and has visible signs of SSL protection as provided by an EV SSL certificate inspires user trust and confidence. They know that they aren’t being fooled by an attacker impersonating your brand.

What Can Users and Customers Do?

1. Scan QR codes only from trusted sources. If unsure, it is better to type the link rather than scan the code.
2. Verify the URL upon opening it
   • Inspect the domain name
   • Check for browser warning in the address bar
   • Verify the SSL certificate to ensure the website belongs to a legal entity

The Way Forward 

Protecting against QR code attacks should not be just a customer/ user prerogative; organizations need to be responsible for protection against malicious QR codes. After all, it helps protect your corporate resources, brand image, and user trust.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn