QR codes are very common today, enough so that attackers are discovering ways of using them for profit. How can QR codes be used this way, and what can you do to boost QR code security and protect against these scams?

What Are QR Codes Used For? 

QR codes — short for “quick response codes” — were born in 1994 as a way for Japanese auto parts maker Denso Wave to track parts in car factories. These two-dimensional barcodes enable a smartphone camera to read up to 4,000 characters of information instantaneously. 

After growing in use and breadth of application for decades, QR codes are having a moment. In 2020, consumers and businesses embraced touchless solutions. App-centric payment companies, charities, nonprofits and point-of-sale systems used online QR code generators as a way to make customer portals that avoided button pushing and credit card exchanges. 

The largest tech companies are embracing QR codes in a big way. Silicon Valley companies (and others) are finding QR codes useful for self-service information in retail stores, transactions and other uses. Most interestingly, they’ll also become useful for augmented reality. QR code stickers on an object or wall or table can serve as both an anchor in 3D space for virtual reality objects and the source of the data. 

Smart displays can now support QR codes for scanning grocery items to add to a shopping list. Social networks have embraced QR codes for linking to personal profiles. There’s no question QR codes are now totally mainstream. 

A survey by MobileIron found that 84% of respondents had scanned a QR code before, with a third having done so in the prior week. Which raises the question: are QR codes safe?

QR Code Security Issues

They can be. QR codes are convenient — and uniquely powerful for criminals. 

Essentially, they can serve as URLs, offering the same kind of risks as opening a malicious website on a phone. But unlike a URL, people are less likely to recognize a malicious QR code. Beyond URLs, it also benefits the bad guys that most people don’t know that a QR code can write an email or text message or make a phone call. More than one-third of respondents in the MobileIron survey say they are not concerned about the security risk of using QR codes. 

Threat actors can deliver malicious QR codes via instant messages, social media, email, SMS — you name it. And QR codes can initiate action on smartphones, such as launching a payment app and making a payment, adding a contact or following a malicious account on social media. They can also divulge the victim’s location or add a malicious Wi-Fi network.

Dynamic QR codes are a special risk. The data stored on them can be changed after they’re generated, or they can present different data to different types of devices. 

The rise of QR codes also coincides with the rise of cryptocurrency, to unhappy effect. Bitcoin addresses are often conveyed via QR codes, which is far more convenient than typing out a long Bitcoin address. QR codes inject data, and Bitcoin is data, so the abuse of QR codes to steal Bitcoin was an inevitability. 

Tips for Avoiding QR Code Scams

Users have several ways to minimize the risk of QR code scams and QR code security issues. 

  • If anyone appears to send a QR code, contact the supposed sender and ask if they sent it. 
  • Look out for URL-shortened links appearing after scanning a QR code, which can hide malicious URLs. 
  • Organizations: Deploy a mobile defense solution that blocks phishing attempts, exploits, phone take-overs and unauthorized downloads. 
  • Embrace multifactor authentication in place of password access to applications and cloud resources. 

These days, it’s important to cover all your bases when it comes to mobile data protection. Defending against pervasive and growing malicious QR codes should be on the top of that list. 

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…