Among the many technological impacts of the coronavirus pandemic is a rise in the use of QR (Quick-Respons) codes. Naturally, bad actors are taking advantage of this opportunity and the vulnerabilities of this mobile technology to launch attacks. Security teams need to be on top of this threat. The QRurb Your Enthusiasm 2021 report by endpoint management and security provider Ivanti shows that global QR code usage and use cases are up. That’s in large part because the codes make life easier in a world in which contactless transactions have become desired or required.
However, organizations lag behind on security against QR-code-enabled threats. For example, 83% of respondents said they had used a QR code for a financial transaction in the past three months, but most of them were unaware of the risks. Only 47% knew that scanning a QR code could open a URL and 37% knew that it could download an application. Consumers have scanned codes at retail stores, restaurants, bars, and other establishments, and many want to see QR codes used more broadly as a payment method in the future. At the same time, the report noted, more people are using their own unsecured devices to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work remotely. It said they’re also using their mobile devices to scan QR codes for everyday tasks, putting themselves and enterprise resources at risk.
QR exploitation is simple and effective
Attackers are capitalizing on security gaps during the pandemic, the report says, and increasingly targeting mobile devices with sophisticated attacks. Users are often distracted when on their mobile devices, making them more likely to be victimized by attacks. Attackers can easily embed a malicious URL containing custom malware into a QR code that could then exfiltrate data from a mobile device when scanned, the report says. They could also embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials.
“By their very nature, QR codes are not human-readable. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective,” says Alex Mosher, global vice president at MobileIron. Nearly three-quarters of those surveyed in the study can’t distinguish between a legitimate and malicious QR code. While most are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate, the report said.
Mobile device attacks threaten both individuals and businesses, Mosher says. “A successful attack on an employee’s personal mobile device could result in that individual’s personal information being compromised or financial resources being depleted, as well as sensitive corporate data being leaked,” he says.
How attackers exploit QR codes
What can make QR code security threats especially problematic is the element of surprise among unsuspecting users. “I’m not aware of any direct attacks to QR codes, but there have been plenty of examples of attackers utilizing their own QR codes in the course of attacks,” says Chris Sherman, senior industry analyst at Forrester Research.” The main issue is that QR codes can initiate several actions on the user’s device, such as opening a website, adding a contact, or composing an email, but the user often has no idea what will happen when they scan the code,” he says. “Normally you can view the URL before clicking on it, but this isn’t always the case with QR codes.”