There has been a massive increase in the use of QR code restaurant menus over the past two years, and now it seems criminals are using this development to scam innocent people out of their money and data.
According to TitanHQ, an Anti Phishing Platform based in Galway and with offices in Connecticut, almost 84% of smartphone users have scanned a QR code at least once, and over 34% scan a QR code once a week. Cybercriminals love popular technologies and focus on them to scam, hack, and cause malware infection.
This popularity has led to a rise in “QR code phishing” and in the US the FBI even issuing a warning about QR codes, highlighting their use for data phishing. Here is how hackers use QR codes to hack your network and how you can prevent it:
QR codes work by embedding instructions into a black and white dot-based image. They work a little like the barcodes you see on food in a store. A smartphone camera, app, or QR code scanning device scans the QR code. The scan then translates the data into human-readable information.
QR codes usually contain web links or links to media such as videos or links to download an app. This use of links in a QR code provides a cybercriminal with the opportunity to perform phishing.
During the pandemic, many restaurants switched to using QR code menus and have kept them. With a smartphone you can easily access the menu removing the need for paper menus. The customer simply scans the barcode using their phone’s camera app, and a link to the online menu becomes available.
With a QR code scam the scammer replaces the legitimate menu QR code with a malicious one. Instead of taking the customer to the restaurant website, the fake QR codes takes them to a fake website designed to mimic the real account and have the customer divulge personal data.
QR-Phishing
Quishing is a mashup of QR codes and email phishing. The fraudsters embed a malicious QR code into a legitimate-looking email. A recent example of a quishing attack was a Microsoft Office 365 phishing campaign that used QR codes to steal log-in credentials. Researchers identified spoof Office 365 emails that offered access to missed voicemail messages by scanning a QR code. Scanning the QR code took the user to a fake Office 365 page, which requested credentials to gain access to the message.
QR codes are also being used in various regular scam types, such as tax scams. The UK tax department, HMRC, recently added support for QR codes on their website. However, fraudsters have now used this new feature as a basis for a new QR code tax phishing scam. The spoof HMRC email asks the recipient to scan the code to pay overdue tax. The QR code takes the taxpayer to a spoof site where their financial information is then stolen.
This is an older version of the more recent Quishing scam, but one that has phishing implications. QR codes are very convenient for users, and some companies have extended this convenience to their log-in systems, where users scan a QR code to log-in to an account. In QRL Jacking, an attacker navigates to a legitimate site, initiating a session and generating the QR code to log in. The attackers then capture this QR code (for example, using screen scraping) and places this legitimate QR code on a spoof site.
The attacker then uses spear-phishing to target an individual, tricking them into going to the spoof site. The target then uses the captured QR code to log-in; this logs into the original session, thus logging the attacker into the legitimate account. This scam is more challenging to carry out as it is time-sensitive; however, it will be worth the effort if this is a high-value or sensitive account.
QR codes are often used to make it more convenient to download a legitimate app. However, they can be used to encourage people to download malicious apps, including crypto-wallets. For example, the QR crypto-quishing scam involves capturing persistent consent (prior authorization) to use the wallet; this allows the fraudster to drain the wallets of cryptocurrency.
Drive-by-downloads of malware are one of the most insidious forms of malware infection. A person must land on an infected site, and a flaw in any software they use can open the door to malware infection. QR code phishers take advantage of drive-by-download opportunities by sending phishing emails with QR codes that take the recipient to an infected website: one scan of the code and their mobile device may become infected with a trojan.
QR codes are one method in a long line of phishers’ favorites. No matter what technology comes along, fraudsters will find a way to exploit it if it is popular. Moreover, a single-point solution cannot capture all possible cyber-attack scenarios. Clever attack chains require a creative response, comprising a mix of security awareness training with advanced AI-enabled spam and content filers.
-
Know your stuff: Education is key, use behavior-based security awareness training to limit the risks. If you’re worried about your working information, ensure that you include QR code phishing templates in your simulated phishing exercises so employees understand what these phishing emails look like and the different methods used to steal credentials and other data.
-
Use a DNS filter: This will break the phishing cycle by stopping users from navigating to a malicious website. The DNS filter creates a ‘blocklist’ of URLs, using a dynamic system based on a “threat corpora”, based on the data from millions of subscribers. These data are used to train Machine Learning algorithms. The result is that even emerging malicious URLs are spotted and added to the blocklist.
-
Apply email filters: Email filters such as SpamTitan use multiple mechanisms to catch difficult-to-detect phishing messages. These mechanisms include advanced AI-based algorithms to spot difficult-to-detect spam.