In January 2022, the FBI issued a public service announcement warning people of a new trend: cybercriminals are allegedly taking advantage of Quick Response (QR) codes to redirect victims to malicious sites that can steal their credentials and financial information. Additionally, the FBI warned that QR codes may contain malware.
It sounds quite troubling at first glance, particularly with so many businesses now using QR codes to provide contactless services during the pandemic. Even Jen Easterly, the Director of the US Cybersecurity and Critical Infrastructure Agency, has a QR code on her business card – or so she perhaps jokingly claimed in a tweet.
My new business card…🤔 pic.twitter.com/nXM8IH5ZWA
— Jen Easterly 🛡 Shields Up! (@CISAJen) February 14, 2022
But how concerned should you really be about QR codes as an attack vector?
In this blog post, we take a look at how fake QR code attacks work and whether it’s ever safe to scan them.
How QR code attacks work
Before we get into threat mechanisms, let’s get one thing straight: QR codes themselves are not malicious. QR codes are essentially just square-shaped barcodes made up of a number of squares and dots that represent binary code. When you scan the QR code with your smartphone, it translates the code into the data’s original form. QR codes are commonly used to direct users to landing pages, download apps, and send and receive payment information. More recently, QR codes have played a major role in tracing COVID-19 exposure and helping contain the spread of the virus.
Humans obviously can’t read QR codes with the naked eye, which makes it relatively easy for attackers to replace legitimate QR codes with their own malicious ones which link to their own sites. If you’re scanning a QR code to call up a restaurant’s online menu, being directed to a fake website wouldn’t be too much of a problem. If, however, you’re using a QR code to launch a site into which you’ll enter financial information, it’d potentially be a very big problem.
In January 2022, this is exactly what happened in Austin, Texas, when police discovered fraudulent QR code stickers plastered to more than two dozen public parking meters. People attempting to pay for parking using these QR codes were directed to a fraudulent website where they were tricked into submitting parking payments to a fraudulent vendor.
How worried should you be?
Despite the FBI’s warning and the significant amount of press attention that followed, the reality is that most people probably don’t need to be overly concerned about QR attacks.
There is a lot of hacking folklore – which I call “hacklore” – floating around these days, and some of it comes from otherwise trustworthy organizations. We’ve seen warnings recently that scanning QR codes can lead to malware on your phone and bank account compromises. These alarms are sadly not backed up by the facts. While nothing is 100% secure, the phone manufacturers have done a good job making sure QR codes don’t create a security problem for you. — Bob Lord, former CSO at the Democratic National Committee and CISO at Yahoo
While it’s theoretically possible to embed malware into a QR code in the same way that it’s possible to embed a game of Snake, it’s never actually been done. At least, not as far as either we or Bob Lord know. The reality is that phones are quite secure and it would be extremely hard to pull off such an attack. Bottom line: scanning a QR code isn’t going to result in malware being silently installed onto your phone, meaning this is not something you need to worry about at this point in time. Phishing-based attacks, however, are a real risk and, as noted above, there have actually been some real-world cases. Such incidents are, however, very rare. You’re far more likely to encounter a phishy email than a phishy QR code.
General protection strategies
While QR codes may be low-risk, that doesn’t mean they’re no-risk and it makes sense to keep this in mind. If you’re using a QR code in the privacy of your own home to connect your TV to your Netflix account, you really don’t need to worry at all. Scan away! If, however, you’re using a QR code to launch a site into which you’ll be entering your personal or financial information, then it makes sense to be a little bit cautious – especially if the QR code is in a public location and could have been tampered with. In such cases, it may make sense to manually launch the URL for the site you’re wanting to visit instead.
The volume of QR code attacks is so low that the threat to the average user is minimal. You certainly don’t need to avoid scanning them, but you should keep in mind that there is a small risk and exercise caution when appropriate.