However, like any other mainstream technology, the widespread use of QR codes has also attracted the attention of scammers, for criminal purposes. This trend has even prompted an alert from the United States Federal Bureau of Investigation (FBI).
How do fraudsters use codes for illicit purposes?
What is a QR code and how does it work?
Short for “Quick Response”, a QR code is a type of barcode that can be read by a machine instantly. A QR code can contain up to 4,296 alphanumeric characters, which allows easy decoding by a smartphone camera.
Text strings that are encoded in a QR code can contain a variety of data. The action triggered by reading a QR code depends on the application that interacts with said code.
Codes can be used to navigate to a website, download a file, add a contact, connect to a Wi-Fi network, and even make payments.
QR codes are very versatile and can be customized to include logos. Dynamic versions of QR codes even allow you to change the content or action at any time. This versatility, however, can be a double-edged sword.
How can QR codes be exploited?
The sheer number of use cases for QR codes (and the potential for misuse) is no exception to fraudsters.
Here’s how cybercriminals can hijack codes to steal your data and money:
1. Redirection to malicious website to steal sensitive information : Phishing attacks are not only spread by e-mails, instant messages or SMS. Just as attackers can use malicious ads and other techniques to direct you to fraudulent sites, they can do the same with QR codes.
2. Downloading a malicious file to your device : many bars and restaurants use QR codes to download a menu in PDF format or install an application allowing you to place an order. Attackers can easily fake the QR code to trick you into downloading a malicious PDF file or a malicious mobile app.
3. Trigger actions on your device : QR codes can trigger actions directly on your device, these actions depending on the application that reads them. However, there are some basic actions that any QR reader is capable of interpreting.
These include connecting the device to a Wi-Fi network, sending an email or text message with predefined text, or saving contact information to your device. While these actions aren’t malicious on their own, they can be used to connect a device to a compromised network or send messages on your behalf.
4. Divert a payment : Most financial applications today allow payments to be made using QR codes containing data belonging to the recipient of the money. Many stores show you these codes to facilitate the transaction.
However, an attacker might modify this QR with his own data and receive payments on his account. It might also generate codes with money collection requests to trick you.
5. Steal your identity : many QR codes are used as a certificate to verify your information, such as your identity card or your vaccination record. In these cases, QR codes can contain information as sensitive as your ID or medical records, which an attacker might easily obtain by scanning the QR code.
We have adopted QR codes in our daily life. And as with all new practices, we need to develop new habits to stay alert. Each new technology brings its share of advantages but also threats.