QR codes or Quick Response codes are essentially barcodes with extra data and they’ve exploded in popularity in the past two decades. Booths at the university club fair, event flyers, and even social media websites all utilize QR codes. Now that most phones have the capabilities for reading QR codes, hackers have found ways to exploit QR codes for malicious content.
Quick Response Code Login Jacking is used on websites that allow users to sign in by scanning a QR code. While QR code sign in optimize one time password and multifactor authentication capabilities, it is prone to vulnerabilities. A hacker can clone the QR code and login page and send it to a user, once the user scans in, the hacker can now control the users account. This is a simple yet extremely effective social engineering hack
Attackers could additionally place fraudulent QR codes over real ones that phish a user into giving over sensitive information.
Potential Malware in QR Codes
Last January, Fordham Secure IT published a blog on an FBI alert sent out warning of bad actors planting malware into QR codes because of how popular they had become over the pandemic as a contactless option for menus, flyers, and event tickets. Always be cautious of any URLs from QR codes, especially those which ask you to input payment and/or other sensitive information.
How You Can Stay Safe Using QR Codes
- Don’t scan random QR codes: Bad actors can distribute malicious QR codes with the hopes that people’s curiosity will cause them to scan. Avoid scanning QR codes form untrusted sources.
- Use a dedicated QR Scanner: While most phone cameras can scan QR codes on their own, scanning apps will specifically examine QR codes before redirecting the user to ensure you aren’t being lead to a malicious link.
- Or avoid QR codes altogether: Asking for and inputting a URL directly into your browser is almost always more secure than following a QR code which involves third parties. This is best practice even for general web browsing, typing the URL directly into the search bar is better than accidently using URL spoofed or scam websites.