By Andrew Newman
How this creative business marketing tool can be a double-edged sword, as cyberrisks abound.
Whatever category your business belongs to, 2023’s connected world requires all companies to market themselves via tech and social media, in order to gain popularity and more customers. But equally, in an effort to infiltrate more devices and execute more malware, scammers are increasingly using ingenious methods of exploitation.
Many creative tactics are used for digital marketing communication, but they aren’t without their dangers. For example, pay-per-click advertising, email marketing, and video marketing can be tampered with by malicious actors, with clickbait being a popular vector to lead consumers to phishing sites. Unsurprisingly, RAV researchers found in a recent consumer cybersecurity trends report that phishing is the leading malware distribution method affecting home users today.
Quick Response (QR) codes are another example of common digital marketing, and another possible vector for phishing, as they are the epitome of “security without context”—you can’t interpret the QR code with the naked eye, and so a consumer won’t know what it does until they scan it. So as with any connected technologies, it’s important to examine any possible cyberrisks affecting consumers.
QR Codes: What’s the appeal?
QR codes hit mainstream use throughout North America and Europe in 2020 when the pandemic forced businesses to go contactless. Given the QR codes’ large storage capability and the popular use of mobile devices, these two-dimensional barcodes are designed to be scanned using a smartphone camera and a QR code reader app to provide quick access to information.
They are widely used in various industries, including marketing, retail, and hospitality, offering direct access to websites, contact details, social media pages, and product information, or to perform transactions. Adopting QR codes can help a business in several ways, like for improving customer engagement, increasing sales, and streamlining operations. QR codes also enable QR code login (QRL), a convenient and secure way for consumers to log in to websites and applications without the need for usernames and passwords.
Security without context—is it safe?
Worryingly, people may blindly scan QR codes without a pause as to what it might entail. Case in point: The Coinbase Superbowl 2022 commercial utilized a bouncing QR code on a giant screen and garnered 20 million hits within one minute of the ad airing. It was an immensely effective marketing move (and funnily reminiscent of The Office’s legendary bouncing DVD opening teaser)—so much so that it temporarily “broke” the Coinbase website.
However, there’s something worrying about the laissez-faire reaction of the audience. In general, it’s safe for consumers to scan QR codes from trusted sources, yet there are potential risks, e.g. codes directing users to malicious websites, or containing embedded malware that allows criminals access to the victim’s mobile device to steal personal and financial information.
Implementing the scams
It can be difficult to know if a QR code is fake or legitimate. Humans cannot decipher the dot pattern, but people can try to confirm whether a QR code was pasted over another one, which could indicate that the new one is fake. QR code readers can often read these codes even if they are dirty or defective, potentially using its software to automatically correct the pattern.
Issues like these introduce a new risk for otherwise legitimate QR codes. The HP Threat Research Team found nearly daily QR code “scan scam” campaigns since last October. These can deceive people into scanning the codes that are trying to bypass less robust phishing detection and protection.
Threat actors can alter QR codes by greying out certain areas, slightly warping square dots in the code, or cloning a login QR code to a fake login page that closely mimics a legitimate online service, known as “QRL-jacking.” In a QRL-jacking attack, the attacker intercepts the person’s QR code login session and uses the device to scan the code to gain access to the user’s account. The attack can be carried out using various methods, such as redirecting the user to a fake login page or using a malware-infected app to scan the QR code.
For QR scams to work, social engineering is required. The consumer needs to be convinced to scan the QR code. Some such scams involve directing users to malicious websites asking for credit and debit card details, or phishing campaigns masquerading as parcel delivery companies seeking payment.
QR code scams often work best in places where the population prefers to go cashless, using their phones to make payments. Threat actors will exploit simple, everyday activities in order to take advantage of people. For example, in 2022 in San Antonio, fake QR codes were detected on parking meters throughout the city. People trying to pay for parking were directed to a fraudulent website to submit payment.
It’s often the minor everyday activities that can drastically affect us without realizing it. Exercising caution and common sense when using QR codes is vital, especially if the user is prompted to enter sensitive information. In this respect, adding a second layer of authentication to online accounts can help protect the consumer.
Other safety guidelines include only scanning QR codes from trusted sources; using a QR code scanner app with in-built security features to detect and warn against malicious QR codes; and exerting caution if a QR code prompts you to download or install anything on your device. Also, check that any page you are redirected to has a legitimate URL, is displaying the HTTPS security indicator, and keep your device’s software up-to-date to ensure it is protected against known security vulnerabilities.
It’s always exciting to adopt new technologies when promoting your business, or being able to easily access information with a single click as a consumer. But staying aware and vigilant will always be a must. Using QR codes as a vector for scams is yet further proof that cybercriminals are diversifying, so we too need to stay one step ahead of the game.
By Andrew Newman
Andrew Newman is the founder and CTO of ReasonLabs