QR Codes - Are They Dangerous?

Attacks and defensive measures

Visit the new Evidence Files Facebook and YouTube pages; Like, Follow, Subscribe or Share!

QR codes (technically known as Quick Response codes) are among the latest tools to add convenience to all sorts of transactions. (They are not new, but their frequency of use is). Just like bar codes, QR codes store information in a machine-readable graphic. In bar codes, information is relayed based on the width of and distance between the lines.

Sample Bar Code (red bars added to indicate sample)

QR codes work similarly, but the information is organized by the arrangement of the pixels (the little black and white squares). An optical scanner—your cellphone’s camera, for example—reads the arrangement of squares and gathers the underlying data. Each individual square is called a data module. Larger squares located along the corners convey to the optical reader the position and direction that the optical scanner needs to follow to accurately ascertain the data. QR codes are limited to a maximum of 177 rows and 177 columns, and a minimum of 21 by 21. This allows storage of up to 7,089 numeric or 2,953 alphanumeric characters. QR codes contain a higher capacity of storage of information than a traditional bar code. In short, the code works by directing the scanner along a certain path. At specific points along that path, it conveys information, such as how many data characters are stored, in what order they should be read, and where the scan should stop. Because data can include any character on a keyboard, QR codes can point the scanner to a URL or a static document like a PDF. Some QR codes are equipped with error correction. These essentially contain the information in several places on the QR code, so that if the graphic is damaged the scanning device can still read it.

QR code structure

QR codes are a convenient tool for conveying information quickly and easily. In a world where nearly everyone carries with them an optical scanner (i.e., cellphone), the rapid rise in their use makes sense. Unfortunately, the ubiquity of QR code use by businesses also comes with an acute vulnerability. As a machine-readable graphic, the user has limited means to confirm the nature of the transaction that will occur upon scanning. In other words, without scanning the code, the user really has no idea what data rests within it. Scanning the code, however, is itself the vulnerability.

Rising QR code use

Using QR codes to trick people into disclosing sensitive information is known as QR code phishing, or “quishing.” Threat actors produce what appear to be genuine QR codes, such as those that claim to offer a discount or special offer, but in reality lead the victim to a phony website under the control of the attacker.

A 2021 report titled “Threat Predictions Report” stated:

The use of QR codes has notably accelerated during the pandemic, raising the spectre of a new generation of social engineering techniques that seek to exploit consumers and gain access to their personal data…

A September 2020 survey by MobileIron found that 86% of respondents scanned a QR code over the course of the previous year and over half (54%) reported an increase in the use of such codes since the pandemic began. Respondents felt most secure using QR codes at restaurants or bars (46%) and retailers (38%). Two-thirds (67%) believe that the technology makes life easier in a touchless world and over half (58%) wish to see it used more broadly in the future.

In just the area of discount coupons, an estimated 1.7 billion coupons using QR codes were scanned globally in 2017, and that number is expected to increase by a factor of three to 5.3 billion by 2022. In just four years, from 2014 to 2018, the use of QR codes on consumer product packaging in Korea and Japan increased by 83%. The use of QR codes in such “smart” packaging is increasing at an annual rate of 8% globally.

Quishing: Phishing using QR Codes

Back in 2013, David Geer wrote on CSO Online that the moment a user connects to a malicious weblink via QR Code, the damage is already done. Making a connection to a malicious URL allows the exchange of information, including executable files like a Trojan. As the name suggests, a Trojan is a piece of malware that masquerades as something safe or legitimate, but carries the dangerous program concealed within. Once the Trojan arrives on the user device, it connects to the hacker’s server thereby creating an open door to stealing information or inserting more malware on the device. A Trojan can also request elevated privileges on the device which, if granted, would allow it to perform other functions.

What is troublesome is that QR Codes can engage in many more activities than most people know. For example, while 61% of people are aware that a QR Code can open a weblink (URL), less than 31% know that a QR Code can also make a payment, connect to a social media account (including “friending” someone), or initiate a phone call. Scanning a fraudster’s QR Code can trigger other activities on the device, which may exfiltrate personal information to the attacker or cause some kind of chaos. Because attackers develop authentic-looking websites and logos spoofing well-known firms, consumers may never know they’ve been quished, or at least not until much later when they discover the resultant damage.

Here’s how it works

The attacker’s plan entails creating a QR code that takes people to a spoofed website that has been painstakingly created to look like a reliable one, such as a well-known e-commerce site or one belonging to a respectable institution like a bank. The final goal is to trick people into interacting with this supposedly legitimate website, which will enable data theft.

During the baiting phase, attackers spread the malicious QR code using a variety of methods, such as by email, through false ads, or even printed on a physical poster. They frequently use social engineering techniques to increase the attractiveness of the QR code by providing enticing incentives like discounts, freebies, or access to special content. Users who employ cell phones to scan the QR code are then taken to the phishing website. The attacker misleads victims through the phony site's convincing appearance, making them less likely to recognize it for the trap that it is. Users are then asked for personal information, such as login credentials, credit card numbers, or other sensitive information.

Some attackers adopt a bit-squatting strategy to fool a user into clicking on a phony link even if their scanning device shows the link before connecting. For example, a malicious website with the name facedook would pop up upon scanning the QR code (see the image below). If the the user proceeds, he or she would then land on a very real-looking Facebook login page asking for credentials. It is also possible that the URL will take the user to a legitimate website, but persuade him or her to take unfavorable actions, such as giving an attacker access to their account. While this kind of attack requires a flaw or backdoor already built into the destination website, there are many such flaws and backdoors on the internet.

Another attack method directs users to a button that obfuscates the URL to which it connects. Clicking on the button could create a connection to an attacker’s server, thereby sending information from the victim’s device to the attacker. Clever attackers will design such a button to look similar to something a regular user would readily click on, perhaps like a Facebook “Like” button.

Yet another tactic involves altering the existing QR code's mask, character encoding mode, character count indicator, mixing modes, data part, and/or error correction section, turning the legitimate code into a malicious one. This is done by adding black modules over the white ones, replacing the entire QR code, or defacing the existing code as shown in the figure below.

Original code + variations = malicious code

Attackers sometimes adopt even less sophisticated measures to entice users to scan their malicious QR codes. In this case, they simply print the codes on tiny stickers and place them on top of legitimate ones on advertisements, flyers, or menus. The words "Scan Here" are displayed on the side that is visible to users, and on the back of the sticker, there is a QR code with the address of the fraudsters' Bitcoin wallet (or some other malicious destination).

Translucent QR code sticker attack

A student at Softwarica College conducted an experiment to show how attackers employ these deceptive QR codes into their quishing scheme. Here is what he wrote (lightly edited):

I downloaded the "evilQR" tool from its GitHub repository, enabled it as an unpacked extension in my web browser, and set up a web server with the domain "127" to serve as the host for a manipulated QR code. Using the tool's interface, I crafted a deceptive message that accompanied the QR code, designed to trick potential victims into thinking they were adding a contact. I selected "web.whatsapp.com" as my target, initiated the login process, and replaced the original QR code displayed on the target website with the deceptive one hosted on my server. When victims visited the site, they encountered the manipulated QR code along with the deceptive message, convincing them to scan it for what they believed was a legitimate action.

Note that this was done in a controlled environment where no actual personal data was exposed or at risk. The point was to show how easy it is to fool users into clicking on a malicious QR Code for what they presume is a legitimate purpose—here, adding a contact to their messaging platform. Had this student been an attacker, once the victim connected to his webserver the victim’s data on their device could have been exposed or stolen.

Not all QR codes are harmful - But use caution

The use of QR codes is not inherently dangerous. Their purpose is simply for storing data. However, just as opening links in emails can be risky, accessing URLs stored in QR codes can also be problematic in a number of ways as we discussed. It is crucial to make sure the URL is secure and originates from a reliable source before clicking on a link in a QR code. The presence of a recognizable logo in a QR code does not automatically mean you will visit the legitimate URL associated with it.

When possible, feel any code you come across before scanning it to make sure it isn't just a sticker covering the true code. Also look for obvious manipulations or defacements. Inform the owner of the company where you found it if you discover a suspicious QR code.

It is also possible that the software you use to scan QR codes has a flaw that might allow malicious codes to hijack your system. Even without clicking the link provided in the QR code, this attack would still succeed simply by scanning it. Use the apps that your device's manufacturer provides and refrain from downloading your own QR code apps. If your device does not have QR code-reading software, make sure to only use reputable third-party QR code readers (check with Tech magazines and other popular review sites before downloading because there are plenty of malicious apps floating around in app stores). Reputable apps improve user safety by displaying the content of the code before visiting the linked website, and are available for both iPhone and Android. Sometimes in the process of QR code scanning, there is a chance that it will redirect to a form that asks for additional information (such as name and phone number). While this might be legitimate depending upon the purported purpose for scanning the code, this can carry some risk because people do not always know with whom they are sharing their information. Ensure that it makes sense to provide such information under the circumstances of which you have elected to scan the code in the first place.

Examine the QR code's layout and appearance. Intentional malice may be inferred from QR codes that are poorly made or manipulated. Use QR scanners with extensive features so that after scanning, the program notifies you of all processes "sewn" into the code and the user has the option of cancelling some operations independently or declining to click on dubious links. Never enter personal information on a website you visit by scanning a "random" QR code—including login credentials. When scanning a QR code, such as from a website, while downloading a file, or connecting to a Wi-Fi network, it is critical to disable automatic-action functions. 

Even though there have been numerous real-world instances of QR code attacks reported in the media, there hasn't been a great deal of research done in this area, and little focus has been placed on the relationship between security and human-computer interaction. For now, the best protection remains your own awareness.

***

Special thanks go to Murari Jha, from Sarlahi, for contributing to this article. Mr. Jha is pursuing a bachelor's degree at Softwarica College, focusing on ethical hacking, Linux systems, and Python scripting.

***

Thanks also go to Ganesh Bhusal, Faculty of Ethical Hacking and Cyber Security at
Softwarica College, a Coventry University Affiliate. Mr. Bhusal has a BE in Electronics and Communication and a Masters in Computer Science (MCS). You can reach him at:
bhusalganesh87@gmail.com, stw0019@softwarica.edu.np

***

I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a Master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I am Senior Lecturer in Cybersecurity, Ethical Hacking, and Digital Forensics at Softwarica College of IT and E-Commerce in Nepal. I am Vice President of Digi Technology in Nepal where we create web and mobile applications and platforms, provide eCommerce and digitized education solutions, and assist in all areas of cybersecurity. In addition, I offer training on Financial Crime Prevention and Investigation. I was a firefighter before I joined law enforcement and now I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.

Find more about me on Instagram, Facebook, Twitter, LinkedIn, or Mastodon. Or visit my EALS Global Foundation’s webpage page here.

For another cybersecurity article, click below.

Comments

[Nick Garguiolo]

I will just never QR codes. Great article as always . You educated me and many with powerful analysis.