QR codes are very common today, enough so that attackers are discovering ways of using them for profit. How can QR codes be used this way, and what can you do to boost QR code security and protect against these scams?

What Are QR Codes Used For? 

QR codes — short for “quick response codes” — were born in 1994 as a way for Japanese auto parts maker Denso Wave to track parts in car factories. These two-dimensional barcodes enable a smartphone camera to read up to 4,000 characters of information instantaneously. 

After growing in use and breadth of application for decades, QR codes are having a moment. In 2020, consumers and businesses embraced touchless solutions. App-centric payment companies, charities, nonprofits and point-of-sale systems used online QR code generators as a way to make customer portals that avoided button pushing and credit card exchanges. 

The largest tech companies are embracing QR codes in a big way. Silicon Valley companies (and others) are finding QR codes useful for self-service information in retail stores, transactions and other uses. Most interestingly, they’ll also become useful for augmented reality. QR code stickers on an object or wall or table can serve as both an anchor in 3D space for virtual reality objects and the source of the data. 

Smart displays can now support QR codes for scanning grocery items to add to a shopping list. Social networks have embraced QR codes for linking to personal profiles. There’s no question QR codes are now totally mainstream. 

A survey by MobileIron found that 84% of respondents had scanned a QR code before, with a third having done so in the prior week. Which raises the question: are QR codes safe?

QR Code Security Issues

They can be. QR codes are convenient — and uniquely powerful for criminals. 

Essentially, they can serve as URLs, offering the same kind of risks as opening a malicious website on a phone. But unlike a URL, people are less likely to recognize a malicious QR code. Beyond URLs, it also benefits the bad guys that most people don’t know that a QR code can write an email or text message or make a phone call. More than one-third of respondents in the MobileIron survey say they are not concerned about the security risk of using QR codes. 

Threat actors can deliver malicious QR codes via instant messages, social media, email, SMS — you name it. And QR codes can initiate action on smartphones, such as launching a payment app and making a payment, adding a contact or following a malicious account on social media. They can also divulge the victim’s location or add a malicious Wi-Fi network.

Dynamic QR codes are a special risk. The data stored on them can be changed after they’re generated, or they can present different data to different types of devices. 

The rise of QR codes also coincides with the rise of cryptocurrency, to unhappy effect. Bitcoin addresses are often conveyed via QR codes, which is far more convenient than typing out a long Bitcoin address. QR codes inject data, and Bitcoin is data, so the abuse of QR codes to steal Bitcoin was an inevitability. 

Tips for Avoiding QR Code Scams

Users have several ways to minimize the risk of QR code scams and QR code security issues. 

  • If anyone appears to send a QR code, contact the supposed sender and ask if they sent it. 
  • Look out for URL-shortened links appearing after scanning a QR code, which can hide malicious URLs. 
  • Organizations: Deploy a mobile defense solution that blocks phishing attempts, exploits, phone take-overs and unauthorized downloads. 
  • Embrace multifactor authentication in place of password access to applications and cloud resources. 

These days, it’s important to cover all your bases when it comes to mobile data protection. Defending against pervasive and growing malicious QR codes should be on the top of that list. 

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today