Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Need for Increased Cybersecurity Against QR Code Abuse

QR code use is growing as a convenient input mechanism to make mobile transactions more efficient. But Qshing, or QR code abuse, is also becoming a cyberthreat.

qr-code-1903447_1280
Back in 2013, David Geer laid out the dangers of QR codes for security, explaining how a malicious QR — Quick Response — code can contain a link to a website embedded with malware. The Web link then infects the user device with a Trojan.

“Once a Trojan infiltrates a mobile device," Geer wrote, "it typically reports to the hacker's servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc. Freely available tools automate QR code creation so criminal hackers do not have to roll their own.”

Even eight years ago, there were plenty of toolkits available to create malicious QR codes that allowed ethical hackers test systems for security vulnerabilities with the enterprise's blessing. Of course, hackers with bad intentions also used the same tools.

In reality, similar scans go back to the 1990s, from the earliest days that QR codes were used.

But fast forward to January 2021, and QR code usage has accelerated during the global pandemic. Here are few examples of that growth:

And true to form, if an online service becomes more popular, especially with the explosive use of smartphones and apps, criminal enterprises will not be far behind.



QR Codes Pose a Top 2021 Threat

In a recent 2021 prediction report, McAfee listed QR code abuse as a top-five threat for the new year. The term used is Qshing, and here are a few excerpts from that report:

“A September 2020 survey by MobileIron found that 86 percent of respondents scanned a QR code over the course of the previous year and over half (54 percent) reported an increase in the use of such codes since the pandemic began. Respondents felt most secure using QR codes at restaurants or bars (46 percent) and retailers (38 percent). Two-thirds (67 percent) believe that the technology makes life easier in a touchless world and over half (58 percent) wish to see it used more broadly in the future. …

"The MobileIron report found that whereas 69 percent of respondents believe they can distinguish a malicious URL based on its familiar text-based format, only 37 percent believe they can distinguish a malicious QR code using its unique dot pattern format. Given that QR codes are designed precisely to hide the text of the URL, users find it difficult to identify and even suspect malicious QR codes.

"Almost two-thirds (61 percent) of respondents know that QR codes can open a URL and almost half (49 percent) know that a QR code can download an application. But fewer than one-third (31 percent) realize that a QR code can make a payment, cause a user to follow someone on social media (22 percent) or start a phone call (21 percent). A quarter of respondents admit scanning a QR code that did something unexpected (such as take them to a suspicious website), and 16 percent admitted that they were unsure if a QR code actually did what it was intended to do."

How Does QR Fraud Work?

This diagram below provides a helpful explanation.

qr-code-fraud.jpg


And according to India Tech Online:

“The lack of user knowledge on how QR codes work makes them a useful tool for cybercriminals. They have been used in the past in phishing schemes to avoid anti-phishing solutions’ attempts to identify malicious URLs within email messages. They can also be used on Web pages or social media.

"In such schemes, victims scan fraudulent QRs and find themselves taken to malicious websites where they are asked to provide login, personal info, usernames and passwords, and payment information, which criminals then steal. The sites could also be used to simply download malicious programs onto a user’s device.”

Experts predict that criminals will increasingly use these QR code schemes and also broaden them using social engineering techniques. New techniques all have the same goal: to steal the end user’s data.

What Can Be Done?

This blog by Malwarebytes describes steps that end users can take to protect themselves from QR code scams. Note that several of these tips are common to other online protection steps.

  • Do not trust emails from unknown senders.
  • Do not scan a QR code embedded in an email. Treat them the same as links because, well, that’s what they are.
  • Check to see whether a different QR code sticker was pasted over the original and, if so, stay away from it. Or better yet, ask if it’s OK to remove it.
  • Use a QR scanner that checks or displays the URL before it follows the link.
  • Use a scam blocker or Web filter on your device to protect you against known scams.
Even if mail from a bank looks legitimate, you should at least double-check with the bank (using a contact number you’ve found on a letter or their website) if they ask you to log in on a site other than their own, to install software or to pay for something you haven’t ordered.

Final Thoughts

No doubt, some readers are thinking: What’s new here?

It is true that QR code scan fraud has been around for a while, but the trend is fast growing. Just as ransomware has been around for a decade, but has become the top vector for cyberthreats over the past few years, so Qshing is growing now and needs to be addressed in training programs and general user awareness.

Most of all enterprise security teams need to address this growing concern. 

Dan Lohrmann is a Governing contributor. He is Michigan’s first chief security officer and deputy director for cybersecurity and infrastructure protection. In 2008, Governing named Lohrmann Public Official of the Year
<i>Government Technology</i> is <i>Governing</i>'s sister e.Republic publication, offering in-depth coverage of IT case studies, emerging technologies and the implications of digital technology on the policies and management of public sector organizations.
Special Projects
Sponsored Stories
Sponsored
In recent years, local governments have been forced to adapt to a wildly changing world, especially as it pertains to sending bills and collecting payments.
Sponsored
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
Sponsored
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Sponsored
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Sponsored
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
Sponsored
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Sponsored
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Sponsored
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
Sponsored
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?