Modern technology often makes our lives easier, but it also creates new opportunities for cyber criminals to invade our privacy and steal our identities. With the growing popularity of Quick-Response (QR) codes, cybercriminals are now using them to carry out malicious activities.
QR codes, invented in the 1990s, gained popularity during the pandemic. Since the COVID-19 pandemic, the use of QR code technology has expanded rapidly as consumers have preferred contactless transactions. QR codes are widely used in a variety of industries, from track and trace systems to ordering from restaurant menus or paying for parking. However, as the technology has become more widespread, cybercriminals are increasingly targeting our growing familiarity with the technology.
QR codes can be easily scanned with smartphones, allowing consumers to access promotions, digital tickets and other content simply by pointing their phone's camera at the code. However, not all QR codes are legitimate.
QR codes are an irresistible attack for several reasons. The indirect nature of QR codes helps hide dangerous content - there is no indication that a set of pixel squares could pose a potential threat. But while many individuals are aware that they should be wary of phishing links and suspicious files in emails masquerading as emails from their bank, most people don't think twice before scanning a QR code with their smartphone's camera. This, combined with the convenience of the technology, makes it more likely that consumers will trust a QR code even in situations where they would treat a standard link with suspicion, increasing the attacker's chances of success.
Figure 1: Example of a fraudulent email.
Types of QR code attacks
Threat actors use various lures and strategies to trick users into scanning malicious QR codes, similar to phishing attacks. Common types of QR code attacks include:
Clickjacking: one of the easiest scams to create is clickjacking. In some cases, individuals are paid to get others to click on specific links. A common approach involves replacing QR codes on well-known landmarks, where people expect to get basic information about the landmark after scanning the QR code. Instead, the altered QR code redirects the user to a dubious website where the clickjacking creator gets a fee.
Phishing: QR phishing, also known as quishing, involves tricking victims into scanning a malicious QR code that redirects them to a fake website or downloads malware. QR codes often appear trustworthy when placed on brochures, advertisements or products by dubious entities that mimic trustworthy companies. When scanned by a smartphone camera, the malware is triggered without the user realising that they have been redirected to a malicious site.
Malware attacks: cybercriminals can use QR codes to lure unsuspecting people to sites that automatically download malware to their mobile devices. This malware can cause significant damage, including opening a backdoor for other malware infections or stealing the target's information and sending it to cybercriminals. In some cases, these malware infections can include ransomware attacks that hold the victim's information hostage until a ransom is paid.
QRLJacking: QRLJacking (Quick Response code Login Jacking) is a type of attack that targets QR code-based login systems. In this type of attack, the hacker replaces the service provider's QR code with malicious code, allowing him to gain unauthorized access to the user. The user scans the hacker's QR code instead of the service provider's QR code, allowing the hacker to gain control of the user's account.
QR code scams
Paying parking fees: Fraudulent QR codes are often placed on the back of parking meters, leading victims to believe they can pay for parking using a QR code. After making payment using the QR code, some victims return to their vehicle to find that they have been towed or issued a parking ticket. In addition, their payment details are often collected for subsequent misuse.
Banking phishing scams: bank branches often post notices on their front doors or counters with special promotions encouraging people to sign up for new accounts or other services. Cybercriminals can easily replace a legitimate QR code with a code that leads to their malicious website.
Cryptocurrency wallets: the rise of cryptocurrencies has lured many people into transactions that are a prime target for fraudsters. Trading cryptocurrencies such as Bitcoin takes place online, and QR codes are the most convenient way for both legitimate and fraudulent traders to direct investors to their digital wallets.
Romantic scams: some cybercriminals spend months developing an online romantic relationship with their victim, eventually offering financial advice or asking for financial help through a bitcoin exchange. The victim then uses the QR code provided to send the requested funds directly to the scammer's digital wallet.
Public service and government fraudsters: Cybercriminals often pose as representatives of utility companies, the Social Security Administration, or the Internal Revenue Service (IRS) in connection with overdue debt. The scammer claims that failure to pay can result in arrest, additional fines, or termination of access to electricity, gas, or water. The cybercriminal may inform the victim that the usual payment portal for these services is currently unavailable, but payment can be made through another portal by following a link or scanning a QR code.
The most important recommendation is to avoid using the "QR code login" unless absolutely necessary. There are several solutions to avoid this problem, and the following can be used together or separately:
The goal of this next step is to ensure that the scanned QR code is generated in the same physical location as the mobile device performing the scan, thus avoiding the possibility of a remote attacker tricking the user into scanning a malicious QR code.
Individuals can protect themselves from QR code attacks by following these guidelines:
RESOURCES USED
https://www.csa.gov.sg/Tips-Resource/publications/cybersense/2020/quick-response-code-related-cyber-threats
https://owasp.org/www-community/attacks/Qrljacking
https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes
https://www.alvareztg.com/fbi-warns-of-rising-qr-codes-attacks
autor: Marek Kovalčík
QR codes, invented in the 1990s, gained popularity during the pandemic. Since the COVID-19 pandemic, the use of QR code technology has expanded rapidly as consumers have preferred contactless transactions. QR codes are widely used in a variety of industries, from track and trace systems to ordering from restaurant menus or paying for parking. However, as the technology has become more widespread, cybercriminals are increasingly targeting our growing familiarity with the technology.
QR codes can be easily scanned with smartphones, allowing consumers to access promotions, digital tickets and other content simply by pointing their phone's camera at the code. However, not all QR codes are legitimate.
Why are QR code attacks so attractive to cybercriminals?
QR codes are an irresistible attack for several reasons. The indirect nature of QR codes helps hide dangerous content - there is no indication that a set of pixel squares could pose a potential threat. But while many individuals are aware that they should be wary of phishing links and suspicious files in emails masquerading as emails from their bank, most people don't think twice before scanning a QR code with their smartphone's camera. This, combined with the convenience of the technology, makes it more likely that consumers will trust a QR code even in situations where they would treat a standard link with suspicion, increasing the attacker's chances of success.
The most common approaches used by attackers to exploit QR codes are as follows:
- Embedding QR codes with malicious URLs
- Replacing legitimate QR codes with compromising codes by simply pasting their QR codes on top of existing codes
Figure 1: Example of a fraudulent email.
Types of QR code attacks
Threat actors use various lures and strategies to trick users into scanning malicious QR codes, similar to phishing attacks. Common types of QR code attacks include:
Clickjacking: one of the easiest scams to create is clickjacking. In some cases, individuals are paid to get others to click on specific links. A common approach involves replacing QR codes on well-known landmarks, where people expect to get basic information about the landmark after scanning the QR code. Instead, the altered QR code redirects the user to a dubious website where the clickjacking creator gets a fee.
Phishing: QR phishing, also known as quishing, involves tricking victims into scanning a malicious QR code that redirects them to a fake website or downloads malware. QR codes often appear trustworthy when placed on brochures, advertisements or products by dubious entities that mimic trustworthy companies. When scanned by a smartphone camera, the malware is triggered without the user realising that they have been redirected to a malicious site.
Malware attacks: cybercriminals can use QR codes to lure unsuspecting people to sites that automatically download malware to their mobile devices. This malware can cause significant damage, including opening a backdoor for other malware infections or stealing the target's information and sending it to cybercriminals. In some cases, these malware infections can include ransomware attacks that hold the victim's information hostage until a ransom is paid.
QRLJacking: QRLJacking (Quick Response code Login Jacking) is a type of attack that targets QR code-based login systems. In this type of attack, the hacker replaces the service provider's QR code with malicious code, allowing him to gain unauthorized access to the user. The user scans the hacker's QR code instead of the service provider's QR code, allowing the hacker to gain control of the user's account.
The QRLJacking attack works as follows:
- The attacker initiates a client-side QR session and replicates the login QR code to a fraudulent website. "A properly designed phishing site with an active and frequently updated QR code is ready for distribution to a given victim."
- Attacker sends phishing page to victim
- The victim uses a targeted mobile app to scan the QR code
- The attacker takes control of the victim's account
- The service forwards all the victim's data to the attacker during the attacker's session
QR code scams
Paying parking fees: Fraudulent QR codes are often placed on the back of parking meters, leading victims to believe they can pay for parking using a QR code. After making payment using the QR code, some victims return to their vehicle to find that they have been towed or issued a parking ticket. In addition, their payment details are often collected for subsequent misuse.
Banking phishing scams: bank branches often post notices on their front doors or counters with special promotions encouraging people to sign up for new accounts or other services. Cybercriminals can easily replace a legitimate QR code with a code that leads to their malicious website.
Cryptocurrency wallets: the rise of cryptocurrencies has lured many people into transactions that are a prime target for fraudsters. Trading cryptocurrencies such as Bitcoin takes place online, and QR codes are the most convenient way for both legitimate and fraudulent traders to direct investors to their digital wallets.
Romantic scams: some cybercriminals spend months developing an online romantic relationship with their victim, eventually offering financial advice or asking for financial help through a bitcoin exchange. The victim then uses the QR code provided to send the requested funds directly to the scammer's digital wallet.
Public service and government fraudsters: Cybercriminals often pose as representatives of utility companies, the Social Security Administration, or the Internal Revenue Service (IRS) in connection with overdue debt. The scammer claims that failure to pay can result in arrest, additional fines, or termination of access to electricity, gas, or water. The cybercriminal may inform the victim that the usual payment portal for these services is currently unavailable, but payment can be made through another portal by following a link or scanning a QR code.
Recommendations and mitigation
The most important recommendation is to avoid using the "QR code login" unless absolutely necessary. There are several solutions to avoid this problem, and the following can be used together or separately:- Session Acknowledgement: the most effective recommendation is to implement an acknowledgement message or notification that displays specific information about the client/server session
- IP restriction: restricting any authentication process across different wide area networks (WANs) reduces the possibility of an attack
- Location-based restriction: restricting authentication processes based on location reduces the possibility of an attack
- Authentication by sound: A possible solution is to incorporate audio authentication into the process. There is technology that can create unique data, convert it into audio format and recognize it in its original form, making this process easy to implement.
The goal of this next step is to ensure that the scanned QR code is generated in the same physical location as the mobile device performing the scan, thus avoiding the possibility of a remote attacker tricking the user into scanning a malicious QR code.
Attack scenario (with mitigation):
- An attacker visits a website and starts a session
- The website generates a QR code that contains the session key
- The attacker creates a fraudulent web page using the received QR code and sends it to the user
- A user scans an attacker's QR code on a phishing site
- The mobile app generates an authentication sound and sends it to a fraudulent website
- The fraudulent website is unable to process and collect authentication audio because it requires additional browser permissions
- Even if an attacker tries to generate an authentication sound using the user ID, he still misses the secret key
How to protect yourself from attacks using QR codes
Individuals can protect themselves from QR code attacks by following these guidelines:
- Avoid downloading apps from QR codes. Use your phone's app store for safer downloads.
- When scanning the QR code, make sure the URL is correct and looks authentic. The malicious domain name may closely resemble the desired URL, but may contain typos or misplaced letters.
- Avoid scanning QR codes in emails, especially if they appear to be from organisations or people you know.
- When scanning a physical QR code on a sign, window or poster, make sure it is not overlaid.
- If you receive a QR code payment notification, please contact the company or visit its website to verify its validity.
- If you receive a QR code from someone you know, contact them at a known phone number or address to verify that the code is genuine.
- Install a mobile security app to protect against viruses and malware to keep your smartphone safe, or install a fraud blocker or web filter on your device to protect against detected fraud.
Conclusion
To avoid falling victim to threats such as QRLJacking, organizations should consider implementing a confirmation message or notification to the user that displays specific information about the client-server initiated session, as well as setting a time limit (typically within 3 minutes) for the completion of each login session. Limiting authentication processes to specific networks and/or locations will further reduce the attack surface. Organizations should also consider deploying mobile threat protection on devices that have access to enterprise applications and data. This will help identify and mitigate mobile attacks, including those involving malicious QR codes.RESOURCES USED
https://www.csa.gov.sg/Tips-Resource/publications/cybersense/2020/quick-response-code-related-cyber-threats
https://owasp.org/www-community/attacks/Qrljacking
https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes
https://www.alvareztg.com/fbi-warns-of-rising-qr-codes-attacks
autor: Marek Kovalčík