It seems like everywhere you look these days, you see a QR code.  These codes have been around for almost 20 years but, until the last few years, were mainly used for industrial purposes.  Now that they are in the mainstream (many mobile phone manufacturers ship their phones with QR scanners now) they are being used as an attack / infection vector.  The other day, I was at a concert and noticed people scanning a whole bunch of QR codes around the concourse to get free songs, information about contests, etc.

QR Tripwire Blog

The problem with this is that people are becoming conditioned to accept and use these QR codes without a second thought.  Since they can redirect you to any URL or accessible location on the internet, people are using them to push users to phishing sites; get people to surf to “drive by” infection sites; and whisk you away to other bad destinations.  Even with these capabilities, the averag person does not view them in the same way as suspicious emails and phishing links they encounter on their computer.

This seems like a great way to do some targeted social engineering.  Imagine creating some QR codes that led to phishing pages, printing them out on a form that looks like a benefits open enrollment information poster, and hanging them around a building used by a company you’re targeting.  Pretty easy and scary, and I bet you would get a lot of data you could use to spearphish or gain insider-like access to the company.

SeQRity tips

Some precautions you can take:

  • Train your employees.  Many people, particularly those outside of IT, have no idea that QR codes can be used to compromise security.  Let them know, and tell them how to take the appropriate precautions (such as the other 3 on this list).
  • Look before you leap.  I use a QR scanner that shows me the URL I’m being sent to, then asks me to confirm I want to go there.  That gives me the opportunity to look for URL’s that don’t look right.  This is no different from clicking on links in an email – if bad guys can get you to go to their malicious URL’s without questioning it, they win.
  • Be suspicious.  If you go to a QR destination that asks your for personal information, don’t enter your information unless you have some other very trustworthy way of verifying that the destination is legitimate (and even then, you may want to go directly to the site rather than using the QR code to get there).  If you have any doubt, don’t fill it out.  And by no means should you put in your login credentials after scanning a QR code – too much phishing danger.
  • Be observant.  A common place for QR codes is on posters advertising popular items, movies, etc..  If I were up to no good, I’d print out a bunch of my own codes, stick them on top of legitimate QR codes and start pulling fans into my phishing net.  If the QR code doesn’t look like it was printed on the poster, be doubly suspicious.

Those are a just a few of the obvious tips to make QR’s less dangerous to you.  If you want to try out your QR code on a safe target, you can scan the image in this post – it is a benign QR code that you can use for your testing.

If you’re interested in doing a test around your office, you can create your own QR code for free online, print it out and stick it up around the building to see how many people scan it without thinking.  Just don’t do anything illegal or in violation of your company policies!

Categories: IT Security and Data Protection, , , Risk-Based Security for Executives, , ,

Tags: , ,


Dwayne Melancon

Dwayne Melancon has contributed 137 posts to The State of Security.

View all posts by Dwayne Melancon >