The resurgence of QR codes occurred during the pandemic as businesses found a simple way for consumers to scan menus, pay bills and sign up for events.
Hackers were already one step ahead. They found that the bar codes were an easy way for them to steal bank and credit card data and net a fast payday.
The bottom line is that QR codes are tampered with because it is a way to make money, Alex Hamerstone, director of advisory solutions at TrustedSec, a Strongsville, Ohio-based ethical hacking and cyber incident response company, told TheStreet.
"Scammers go where they can make money or steal personal information (to use to make money) and as QR codes continue to become more common, scammers will continue to gravitate towards them," he said. "The QR code itself is nothing nefarious- a QR code simply presents data which is read by an app on your phone, and directs the user to a web site."
The FBI warned consumers that QR codes were being used by criminals to steal data, embed malware to gain access to smartphones and redirect payment for cybercriminal use. Once the money has been transferred, recovering the funds can not be guaranteed, the FBI said.
QR phishing is not just an effective method to attack individuals, it is also used to steal corporate data, Hank Schless, senior manager, security solutions at Lookout, a San Francisco.-based security service edge provider, told TheStreet.
“Your employee could scan a code that leads to a fake bank login page,” he said. “Once their login credentials are entered, an attacker can use software that crawls the internet for other sites with that employee’s username. If your employee uses the same login credentials across multiple accounts, including ones related to work, an attacker could gain access to your organization’s infrastructure.”
Businesses Can Help Their Customers
Companies that have a retail presence should physically inspect their QR codes to make sure they point to the correct URLs and that they have not been tampered with, John Bambenek, principal threat hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, told TheStreet.
“Scan them regularly with their own phones and have an inventory that they can compare to,” he said.
Companies, especially retail ones, can ensure their code is less likely to get hacked by getting ahead of the attackers, Casey Ellis, CTO at Bugcrowd, a San Francisco-based crowdsourced cybersecurity company, told TheStreet.
“Advertise that you're using them, create and set expectations about what they will look like and what users will be expected to do and set general expectations for its use,” he said. “Doing this will help the average person identify something that's abnormal more easily and there will be a clear reference point to refer back to.”
Using QR codes to gain trust and access to company resources was simply a matter of time, Patrick Harr, CEO of SlashNext, a Pleasanton, Calif.-based anti phishing company, told TheStreet.
“This is why everyone must implement behavioral AI-based security protection controls currently absent in their email, web and mobile solutions and they must quit relying on training to prevent phishing, quishing, smishing and other human compromise attacks,” he said.
Hackers are now looking to penetrate new areas with little or no security protection because the traditional methods of sending malicious content to email are better protected.
Companies can make their use of QR codes safer by not using them for payments, but only for using applications in the official stores, Chris Pierson, CEO of BlackCloak, an Orlando, Fla.-based executive digital protection company, told TheStreet. Businesses also need to physically police menus or other places hosting QR codes to ensure they are not changed or tampered with.
Business owners can also educate their users on proper cyber hygiene and "make it easy to ask questions of their staff about QR codes, payment options and even how to interact with their own apps," he said.
The number of tools that consumers can use to quickly identify malicious QR codes are limited to a few scanning applications that can identify malicious links, Pierson said. Those can be used to catch the most dangerous sites.
Smaller establishments like restaurants or local shops may not be flagged by these applications until it is too late, he said.
"It is important to note that consumers do not need a separate QR code scanner as their main camera can scan the QR code," Pierson said. "So, unless this scanner is made by a well known anti-virus company, it may actually be malicious itself."