Comment: Malicious QR Codes Jeopardize Your Security

QR codes are also a great way for attackers to do some targeted social engineering and spear-phishing operations aimed at high-value targets, says Melancon
QR codes are also a great way for attackers to do some targeted social engineering and spear-phishing operations aimed at high-value targets, says Melancon
Dwayne Melancon, Tripwire
Dwayne Melancon, Tripwire

Although QR (quick response) codes have been around for almost two decades, mostly for industrial purposes, in the last few years they have become fairly ubiquitous. It seems like everywhere you look these days, QR codes are being used for just about everything. With the advent of the smartphone, they have become a favorite tool for marketers and promoters.

Now that QR codes are in the mainstream, they are also fast becoming a favorite tool for attackers seeking new infection vectors, which is why a little proactive education for the QR code end-user is in order.

Recently, I was attending a concert, and I noticed lots of people scanning all kinds of QR codes located around the concourse. The codes were being used for things such as downloading free songs, or registering for and obtaining information about contests, new products, drawings, and the like.

The big problem here is that most people are becoming so conditioned they just blindly scan these codes without ever giving a second thought to the notion that they may be part of a nefarious campaign designed by malicious actors in an effort to ensnare the unwitting.

Because most QR codes are designed to direct users to a specific URL or other type of accessible location on the internet, attackers are more frequently using them to lure users to phishing sites or ‘drive by’ malware infection pages that can also be used to whisk them away to other undesirable destinations. Even though most people understand that QR codes have these capabilities, the average user does not view them with any suspicion, like when they are presented with unsolicited emails, unfamiliar links, or shortened URLs.

QR codes are also a great way for attackers to do some targeted social engineering and spear-phishing operations aimed at high-value targets. For example, an attacker could create QR codes that direct targets to legitimate-looking websites, then place the codes on materials designed to look like a benefits open enrollment poster branded with a company’s logo. These materials could then be distributed in areas around the company’s building where employees tend to congregate, or are otherwise accustomed to seeing such information posted.

It would only take a matter of hours to potentially infect dozens of employees with botnets, backdoors, key loggers, or other malicious agents. This kind of operation would be easy to carry out, and the attackers could harvest a lot of sensitive data before the attack was ever identified and countered.

So what’s the takeaway from this scenario? A little seQRity awareness is in order, and hopefully it won’t be too long before most end-users develop a healthy level of skepticism and learn to stop and think before they scan an unauthenticated QR code. For the education of your end-users, here are some precautions everyone should take:

Train Your Employees to be Wary: Most people, particularly those outside of IT-related fields, have little or no idea that QR codes can potentially be used to compromise their device’s security. It is up to security professionals in every organization to make all employees aware of the risks involved in scanning QR codes – whether it be with a personal device (BYOD) used for work, or one that is supplied by the company.

Use Your Head – Look before You Scan: Start using a QR scanner tool that allows you to see the link for the webpage the code is designed to send you to. These tools then ask you to confirm whether you trust the link and want to be directed to that site, and give you the opportunity to check for URLs that just don’t look right for one reason or another. This is no different than hovering over a hotlink to examine a URL before clicking, or using a service to unshorten a URL before you decide to follow a link.

Be Smart – Be Suspicious: If you go to a QR code destination website that asks for your personal information, don’t enter anything unless you have some other trustworthy means of verifying the request is legitimate. Even then you probably should go directly to the site by way of a browser search rather than depending on the QR code to take you there. If you have any doubts whatsoever, listen to that little voice and don’t fill out any forms or click on any other links provided. And by no means should you ever enter any login credentials, usernames, or passwords after scanning a QR code – there is just too much of a risk of being the victim of a phishing operation.

Open Your Eyes and Your Mind – Be Observant: A common place for QR codes is on posters or similar materials used for popular advertisements. Attackers have been known to print out stickers with their own malicious QR codes and sticking them on top of legitimate ones in order to infect devices of the careless among us. So, a simple rule of thumb is that if the QR code doesn’t look like it was physically printed on the poster but was added after the fact, be doubly suspicious and don’t scan it.

These are a just a few of the most obvious tips we should be sharing with others to reduce the risk of being infected by malicious QR codes. If you’re interested in doing an awareness campaign at your office on behalf of your company, you can create your own QR code for free online, print it out, and leave it all around the workplace. Then kick back and see just how many people scan without thinking.

Just be sure you don’t do anything in violation of your company’s policies, and you should probably conduct such an exercise under the direction – and with the blessing – of your management.

Tripwire is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held April 23–25, 2013, at Earl’s Court, London. The event provides an unrivaled free education program, exhibitors showcasing new and emerging technologies and offers practical and professional expertise. Visit the Infosecurity Europe website for further information.


Dwayne Melancon is the chief technical officer at Tripwire.

What’s hot on Infosecurity Magazine?