Seven tips for QR code safety

By Len Noe, Technical Evangelist and white hat hacker at CyberArk

In the contactless era, these little black and white grids emerged from relative obscurity to replace everything from restaurant menus to store coupons to subway station ads. They’ve become the defacto business card, digital event leave behind and virtual payment option. Governments around the world have even embraced them to facilitate contact tracing and vaccination status verification.

QR codes are accessible, easy to produce and, seemingly, here to stay. They’re also a perfect way for cybercriminals to snag your personal information. Here’s what you need to know before scanning that code with your smartphone.

Short for quick response codes, QR codes are a type of two-dimensional barcode that contain data, often for a locator, identifier or tracker. They can be easily read by a smartphone or other camera-equipped device and converted into useful information for the end-user, such as a URL for a website or an application.

QR codes were first invented in 1994 by an automotive company to track car components, but their ease of use and greater storage capacity — up to 2,500 characters compared to a barcode’s 43 — soon made them popular in other industries. But it wasn’t until after COVID-19 struck that QR codes really took hold. Then all of a sudden, they were everywhere.

More than two years of pandemic-fuelled cybercrime has made many consumers more cautious about their digital activity. Emails, calls and even texts are scrutinised closely, forcing many attackers to step up their phishing games. And yet, QR codes haven’t really registered as potentially dangerous, and most people still scan them without a second thought.

Case in point: In January 2022, the FBI issued a warning that cyber attackers were tampering with legitimate QR codes to redirect victims to malicious sites that steal login and financial information. Within weeks of the warning, during the biggest football game of the year, more than 20 million people scanned a single mysterious QR code in a commercial for an unnamed company in the span of one minute*.

I’m here to tell you that is bad news, and show why through three attack simulations:

QR code attack vector 1: Job seekers and form fillers everywhere, beware

To start, I created a fake paper ad for an imaginary job fair, just like the ones seen on job boards in your local coffee shop. It contains the event details and a legitimate-looking QR code that takes the user to a job finder site where they can get a head start on submitting their job application. Filling out the required personal information is quick and easy… except, it can all go straight to an attacker’s webmail.

Think of all the times you’ve filled out a form or survey online — whether it originated from a QR code, social media ad or elsewhere. It’s very hard to know where your data is headed to on the back end. So proceed with great caution.

QR code attack vector 2: Vax pass or phone takeover?

For an attacker, “ultimate access” is the ability to interact directly with your device. This can be done via a reverse shell attack, or “connect-back shell,” which takes advantage of the target system’s vulnerabilities to initiate a shell session** and gain access to the victim’s device. In this attack example, I used the MetaSploit Meterpreter Shell to spoof the COVID certificate application used abroad.

By scanning a QR code, the victim goes to what appears to be the Google Play store and installs the app. Except it’s not Google Play

After the user initiates the install, the attacker now has a reverse connection into the device. With this type of initial access, the attacker could potentially set up persistence and then come and go as they please to do anything from dumping call and SMS logs to taking pictures with the camera***. In other words, anything you can do on your phone, they could do too.

Creepy? Absolutely. Easy for an attacker to execute? Also yes.

QR code attack vector 3: The QR code phishing attack you never saw coming 

When you sit down at a restaurant and see a QR code on the table, chances are you’ll scan it without a second thought, expecting it to take you to the menu. But what if that same QR code was embedded in an email coming from someone you don’t know? Would you be as quick to scan it — or would it give you pause? 

Attackers are betting you won’t be as careful. And too often, they’re right. Here’s a side-by-side comparison of two QR codes. 

Source: CyberArk. Two invitations to scan a QR code to view a menu.
Source: CyberArk. Two invitations to scan a QR code to view a menu.
 

Can you tell the difference? One will take you to a restaurant website’s menu, the other will take you somewhere else entirely. As I’ve done here, attackers can clone a legitimate login QR code and turn it into a phishing website that looks almost identical to the real one — except that the URL is different. 

When the victim scans the QR code, they are redirected to the attacker’s web server where a malicious website utilising the malicious BeeF suite is running, giving the attacker control of the victim’s device. The attacker now has access to multiple attack vectors and numerous ways to exfiltrate the user’s data, such as their current GPS location, device type, SIM card data and other sensitive information. 

With some additional social engineering tricks, the attacker could take things even further. By using on-device spear-phishing, they could spoof the victim’s on-device password keeper. After the victim inputs their username and password, the attacker could gain access to the user’s full password safe. Game over.

Last fall, the private key used to sign the European Union’s Green Pass vaccine passports was reportedly leaked or forged. Within days, fake QR code-laden passes signed with the stolen key were up for sale on the dark web. In China, scammers have been caught placing fake parking tickets — complete with QR codes for easy mobile fine payment — on parked cars. And in Texas, criminals hit the streets, pasting stickers of malicious QR codes on to city parking meters and tricking residents into entering credit card details into a fake phishing site.

QR code attacks are happening everywhere with alarming frequency. Here are seven ways to protect yourself:

Don’t scan it! 

If anything feels off, don’t scan the QR code. Just go to the actual website directly. Any legitimate QR code should have an associated URL under it, giving users the option to navigate there directly. If it’s missing, beware.

Slow down

Before you scan any QR code, ask yourself: Do I know who put the QR code there? Do I trust that it hasn’t been tampered with? Does it even make sense to use a QR code in this situation?

Inspect QR code URLs closely

 After scanning the QR code, check out the URL it directs you to before proceeding. Does it match the organisation associated with the QR code? Does it seem suspicious, or include strange misspellings or typos? For instance, in the Texas parking meter scams, part of the URL used was “passportlab.xyz” — clearly not an official city government website. You can also do a quick web search of the URL to confirm that the QR code is legitimate.

Look for signs of physical tampering

This is especially important in places where QR codes are commonly used, such as restaurants. If you spot a QR code sticker adhered to a page over another code, be very skeptical.

Never download apps from QR codes 

Bad actors can clone and spoof websites easily. Always go to the official app market for your device’s operating system (OS) and download your apps from there.

Don’t make electronic payments via QR codes

Use the native app or direct a browser to the official domain and log in there.

Turn on multifactor authentication (MFA)

This will help protect your sensitive accounts, such as banking, email and social media apps. With another authentication layer in place, a cybercriminal cannot access your data with just your login and password.

When it comes to QR codes, the best piece of advice is to always use common sense. If it was an email, would you click on it? QR codes are becoming one of attackers’ favorite phishing methods — and the same rules apply. Proceed with caution and apply the same security scrutiny as you would with anything in the digital realm.

Scan safe out there — or better yet, don’t scan at all!

*Editor's note: During an ad break during the Super Bowl game in 2022, Coinbase, a cryptocurrency exchange, ran a minute-long ad which essentially was just a QR code bouncing around the screen, 'screen saver' style, without any other identifying information. The ad went viral, with many viewers scanning the QR code out of curiosity (or boredom).

**Editor's note: A shell session is a way to interact directly with the operating system of a computer.

***Editor's note: Persistence refers to a 'live' connection that does not disappear even if the device is switched off. Dumping is the act of downloading.

Comments

Post a Comment

Popular posts from this blog

Fortinet enhances FortiRecon to align with CTEM framework

Fortinet, the global cybersecurity provider driving the convergence of networking and security, has turned the FortiRecon platform into a comprehensive solution aligned with the continuous threat exposure management (CTEM) framework. The latest release introduces expanded internal attack surface monitoring, adversary-centric dark web intelligence, and security orchestration, all in a unified platform. These enhancements help organisations proactively identify and prioritise real-world exposures, validate risks like an attacker would, and accelerate response. “CISOs and security teams are overwhelmed by growing attack surfaces and an endless stream of unprioritised alerts,” said Nirav Shah, Senior VP of Products and Solutions at Fortinet. “With the latest enhancements to FortiRecon , we’re giving organisations an attacker’s eye view of their internal and external exposures, backed by AI-powered threat intelligence from FortiGuard Labs, real-world validation, and automated response...
Read more

SentinelOne recognised as a 2025 Gartner Peer Insights Customers’ Choice for XDR

SentinelOne, a global provider of AI-powered security, has been named a Customers’ Choice in the 2025 Gartner Peer Insights ‘Voice of the Customer’ for Extended Detection and Response (XDR) report* – one of only two companies with this distinction. A hundred and forty-four users reviewed SentinelOne's Singularity Platform, and 97% said they would recommend the solution to respond to threats across endpoints with AI-powered security, while 97% rated the solution four stars or better.** “With the growing complexity of cyberthreats, organisations need more than siloed security—they need AI-powered, autonomous protection that delivers real-time detection and response across their entire attack surface. Customers have made it clear that SentinelOne’s XDR provides the intelligence, automation, and efficiency they need to stay ahead of threats and secure their environments with confidence,” said Ely Kahn, VP, Product Management, SentinelOne. Gartner defines extended detection and ...
Read more

AWS: AI adoption grows 20% in Singapore

Image
Amazon Web Services (AWS), an Amazon.com company, has found* that AI adoption continues to accelerate in Singapore. In the past year alone, 27,000 1 Singapore businesses adopted AI for the first time—equivalent to over three new adopters every hour. In sum, nearly 170,000 (48%) of businesses in Singapore have adopted AI 2 , up from approximately 143,000 (40%) a year ago. This represents a 20% year-over-year growth rate, AWS said. AI adoption is the strongest in the financial services industry (71%), followed by the technology sector ( software developers, data analytics firms, cloud service providers, and digital startups) at 70%, and healthcare at 63%. Among Singapore’s businesses that have adopted AI, 82% reported an increase in revenue, at an average increase of 19%, while 90% report significant productivity improvements. A large majority (85%) of those who have adopted AI say the technology is likely to increase their growth in the next year, and 89% expect an average of 17%...
Read more