QR codes are everywhere these days. They are square barcodes that can store various kinds of data, such as URLs, text, or contact information. They can be scanned by a smartphone camera to access the encoded information with a single tap. They offer convenience and efficiency for both businesses and consumers, especially in the context of the COVID-19 pandemic, which has increased the demand for cashless and contactless transactions.
However, QR codes also pose significant security risks, as they can be exploited by cybercriminals to launch phishing attacks, steal personal or financial information, or infect devices with malware. Unlike regular links or attachments, QR codes are not easy to inspect or verify before scanning. They can also be manipulated or replaced by malicious actors to deceive unsuspecting users. In this article, we will discuss some of the common QR code scams and how they work, as well as some of the recent hacking attempts that have used QR codes for malicious purposes. We will also provide some tips on how to use QR codes safely and avoid falling victim to these threats.
Common QR code scams and how they work
One of the most prevalent QR code scams is the overlaid QR code, where a fraudster prints out a fake QR code sticker and places it over a legitimate one. This can happen in various scenarios, such as in shops, restaurants, parking meters, or public spaces. The fake QR code may lead the user to a phishing website that mimics the original one, or to a malicious app that requests permissions or downloads malware. For example, in China, a bike-sharing scheme was targeted by scammers who replaced the QR codes on the bikes with their own, which redirected users to a fake payment app that stole their money².
Another QR code scam is the bait-and-switch, where a fraudster entices the user to scan a QR code by offering a tempting deal, a free gift, or a donation to a charity. The QR code may then take the user to a fraudulent website that asks for personal or financial information, or to a malicious app that installs malware or ransomware. For example, in the UK, a scammer sent out text messages claiming to be from the National Health Service (NHS), offering a free COVID-19 test kit. The text message contained a QR code that directed users to a fake NHS website that asked for their bank details.
A third QR code scam is the social media scam, where a fraudster uses a QR code to promote a fake or hacked account on a social media platform, such as Facebook, Instagram, or Twitter. The QR code may appear on a post, a comment, or a direct message, and may claim to offer a prize, a discount, or a follow-back. The QR code may then lead the user to a phishing website that asks for their login credentials, or to a malicious app that hijacks their account or steals their data. For example, in the US, a scammer posted a QR code on Twitter, claiming to be a celebrity and offering a chance to win a free iPhone. The QR code took users to a fake Apple website that asked for their Apple ID and password.
Recent hacking attempts using QR codes
QR code scams are not only limited to individual users, but can also target organizations and businesses. In some cases, hackers have used QR codes to exploit vulnerabilities in software or hardware, or to gain access to sensitive systems or networks. Here are some of the recent hacking attempts that have used QR codes for malicious purposes:
- CVE-2023-40890: A stack-based buffer overflow vulnerability exists in the lookup_sequence function of ZBar 0.23.90, a software library for scanning and decoding barcodes, including QR codes. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be physically scanned by the vulnerable scanner.
- CVE-2022-22749: When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content. This could allow an attacker to execute arbitrary code or commands on the device. This bug only affects Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox versions prior to 96.
- CVE-2023-34022: Reflected Cross-Site Scripting (XSS) vulnerability exists in the Rakib Hasan Dynamic QR Code Generator plugin for WordPress, versions up to and including 0.0.5. An attacker can inject malicious JavaScript code into the QR code image URL, which will be executed when the user scans the QR code or visits the plugin page.
How to use QR codes safely
QR codes are not inherently malicious, but they can be used as a vector for cyberattacks. Therefore, users should be cautious and vigilant when scanning QR codes, and follow some basic security practices, such as:
- Do not scan QR codes from unknown or untrusted sources, such as unsolicited messages, emails, or social media posts.
- Do not scan QR codes that are suspicious, damaged, or tampered with, such as those that are overlaid, covered, or altered.
- Use a QR code scanner app that has security features, such as checking the URL before opening it, or blocking malicious or phishing websites.
- Verify the URL or the app that the QR code leads to, and make sure it matches the expected or intended destination. Look for signs of legitimacy, such as HTTPS, a padlock icon, or a verified badge.
- Do not enter any personal or financial information, or grant any permissions, on the website or the app that the QR code leads to, unless you are sure it is authentic and secure.
- Use antivirus or anti-malware software on your device, and keep it updated, to protect it from potential infections or attacks.