QR codes are very common today, enough so that attackers are discovering ways of using them for profit. How can QR codes be used this way, and what can you do to boost QR code security and protect against these scams?

What Are QR Codes Used For? 

QR codes — short for “quick response codes” — were born in 1994 as a way for Japanese auto parts maker Denso Wave to track parts in car factories. These two-dimensional barcodes enable a smartphone camera to read up to 4,000 characters of information instantaneously. 

After growing in use and breadth of application for decades, QR codes are having a moment. In 2020, consumers and businesses embraced touchless solutions. App-centric payment companies, charities, nonprofits and point-of-sale systems used online QR code generators as a way to make customer portals that avoided button pushing and credit card exchanges. 

The largest tech companies are embracing QR codes in a big way. Silicon Valley companies (and others) are finding QR codes useful for self-service information in retail stores, transactions and other uses. Most interestingly, they’ll also become useful for augmented reality. QR code stickers on an object or wall or table can serve as both an anchor in 3D space for virtual reality objects and the source of the data. 

Smart displays can now support QR codes for scanning grocery items to add to a shopping list. Social networks have embraced QR codes for linking to personal profiles. There’s no question QR codes are now totally mainstream. 

A survey by MobileIron found that 84% of respondents had scanned a QR code before, with a third having done so in the prior week. Which raises the question: are QR codes safe?

QR Code Security Issues

They can be. QR codes are convenient — and uniquely powerful for criminals. 

Essentially, they can serve as URLs, offering the same kind of risks as opening a malicious website on a phone. But unlike a URL, people are less likely to recognize a malicious QR code. Beyond URLs, it also benefits the bad guys that most people don’t know that a QR code can write an email or text message or make a phone call. More than one-third of respondents in the MobileIron survey say they are not concerned about the security risk of using QR codes. 

Threat actors can deliver malicious QR codes via instant messages, social media, email, SMS — you name it. And QR codes can initiate action on smartphones, such as launching a payment app and making a payment, adding a contact or following a malicious account on social media. They can also divulge the victim’s location or add a malicious Wi-Fi network.

Dynamic QR codes are a special risk. The data stored on them can be changed after they’re generated, or they can present different data to different types of devices. 

The rise of QR codes also coincides with the rise of cryptocurrency, to unhappy effect. Bitcoin addresses are often conveyed via QR codes, which is far more convenient than typing out a long Bitcoin address. QR codes inject data, and Bitcoin is data, so the abuse of QR codes to steal Bitcoin was an inevitability. 

Tips for Avoiding QR Code Scams

Users have several ways to minimize the risk of QR code scams and QR code security issues. 

  • If anyone appears to send a QR code, contact the supposed sender and ask if they sent it. 
  • Look out for URL-shortened links appearing after scanning a QR code, which can hide malicious URLs. 
  • Organizations: Deploy a mobile defense solution that blocks phishing attempts, exploits, phone take-overs and unauthorized downloads. 
  • Embrace multifactor authentication in place of password access to applications and cloud resources. 

These days, it’s important to cover all your bases when it comes to mobile data protection. Defending against pervasive and growing malicious QR codes should be on the top of that list. 

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today