The H.A.C.K.E.R. Project

Helping Access Cyber Knowledge Everywhere, Realistically.

Be Cautious with QR Codes

   

Written by:

Santiago Sanchez

Estimated Time to Read:

5–7 minutes

Quick response codes- more widely known as QR codes- are often used to easily direct users to websites, files, or even applications. They are incredibly easy to generate and just as easy to use: all one needs to do is point a QR code reader at the code and it will scan. A vast majority of smart phones have a QR code reader built into the default camera application, making QR codes super easy and convenient to use. Despite this ease of use, unknown QR codes can potentially hide dangerous tricks behind their patterns.

What Can QR Codes Be Used For?

Before identifying the dangers of scanning random QR codes, it is important to know what exactly a QR code is able to be used for. Kaspersky Labs identifies that QR codes can store “website URLS, phone numbers, or up to 4,000 characters of text” (the introduction paragraph of this article is roughly 400 words; imagine 100 copies of it being stored in one QR code!). Due to their versatility, QR codes can be utilized for a variety of things.

For example, QR codes can:

  • Link directly to download an app on the Apple App Store or Google Play.
  • Authenticate online accounts and verify login details.
  • Access Wi-Fi by storing encryption details such as SSID, password, and encryption type.
  • Send and receive payment information.
Kaspersky Labs

With all of these uses, and many more, it is no surprise that QR codes can be found almost anywhere. Unfortunately, this makes it much easier for the danger to blend in with legitimate, safe QR codes.

The Dangers of Scanning QR Codes

First off, QR codes can collect various data, which is often accessible by the QR code’s creator, including the “location [the code was scanned], the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android)” (Kaspersky Labs). Thus, if a hacker created a QR code and posted it somewhere for people to scan, they can collect these various points of data. This is not, however, the main concern with QR codes.

Malwarebytes identifies two ways in which QR codes can be compromised. The first is “Malicious URL Embedding: By encoding a harmful URL into a QR code, attackers can lead individuals to download malware or unwanted software. Once scanned, these QR codes can initiate the download and installation of malware, putting personal data at risk” (Malwarebytes). Essentially, when this type of QR code is scanned, the user is directed to a malicious website which will then automatically try to download malware onto the user’s device; this type of attack is also known as a drive-by download. In some cases, the malicious website will then redirect the user to a legitimate website, making it difficult to notice that the download took place.

In addition, QR codes can be utilized for “Phishing Expeditions: Similar to malicious URL embedding, hackers can also direct users to phishing websites through a QR code. These websites, often masquerading as legitimate sites, aim to trick individuals into entering sensitive information, such as login credentials or financial data, thereby compromising their security” (Malwarebytes). As mentioned, these malicious websites often look legitimate and usually take the form of a login screen. Unfortunately, it is fake; once a user enters their credentials to “log in”, the website simply sends their username and password back to the hacker.

How to Stay Safe

How can one stay safe from these attacks? In short, do not let curiosity take the lead if you find a mysterious QR code. If you do not scan a malicious QR code, it cannot affect you.

Malwarebytes advises users with the following three actions that can be taken to stay safe when scanning a QR code:

  • Verify Before Scanning: Always confirm the source of a QR code before scanning. If it’s from an unknown or suspicious source, avoid scanning it… If you’re unfamiliar with the company or linked sites, consider refraining from scanning. Furthermore, any misspellings or typos on the webpage housing the code could signal its lack of legitimacy. Stay cautious to protect your online safety.
  • Use Secure QR Code Scanners: Some QR code scanner apps offer additional security features, like checking the URL for known security threats before opening it.
  • Stay Informed: Regularly update yourself on the latest cybersecurity practices and educate others about the risks associated with QR codes.
Malwarebytes

If you follow the above three pieces of advice, you will be well on your way to staying safe against malicious QR codes.

How to Safely Create QR Codes

On the opposite side, it is just as crucial to know how to safely create QR codes for distribution. Luckily, Malwarebytes provides a useful best practices list to keep in mind when creating a QR code.

  1. Select a reputable QR code generator: Choose well-known and trustworthy QR code generators. Steer clear of tools or apps that appear dubious or have negative reviews. Opt for a generator that provides advanced security features.
  2. Double-check your content before encoding: Carefully verify every detail of the information you’re embedding into the QR code. Confirm every character of a WiFi password to prevent unauthorized access. For URL redirections, ensure the link is accurate and directs users to the correct website.
  3. Customize your QR code (optional): Take advantage of customization options such as color, frame, and shape to personalize your QR code. Make sure these customizations do not hinder the QR code’s readability or functionality.
  4. Encrypt and add password protection (for sensitive information): Encrypt the data within the QR code to shield it from unauthorized viewing. For an extra layer of security, especially with sensitive content, add password protection to the QR code.
  5. Create and test the QR code before distribution: Generate the QR code using your selected generator. Test the QR code across different devices and scanning applications to ensure its proper functionality. Verify that the QR code accurately points to the intended information or destination.
  6. Monitor your QR code: Regularly check the destination of the QR code, particularly if it redirects to a website, to confirm that it hasn’t been tampered with or compromised. Monitor the scan statistics and traffic to detect any unusual activities or potential security issues.

By following these steps, you can create QR codes that are not just effective in conveying information but are also secure, ensuring a trustworthy experience for both the creator and the end-users.

Malwarebytes

Canva, a popular website utilized for graphic design, provides a safe and useful QR code generator that you can use. As a note, you will need to make an account to access the QR code generator.

Resources & Further Reading

Kaspersky Labs. “QR Code Security: What Are QR Codes and Are They Safe to Use?” Kaspersky, 30 Mar. 2021, usa.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan.

Malwarebytes. “QR Code: What Is a QR Code? Are QR Codes Safe?” Malwarebytes, www.malwarebytes.com/cybersecurity/basics/what-is-a-qr-code.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to receive email notifications:

Latest Articles

Apple Newsroom

BleepingComputer

Forbes Technology

RSS Error: A feed could not be found at `https://www.forbes.com/sites/technology/feed/`; the status code is `403` and content-type is `text/html;charset=utf-8`

Malwarebytes Blog

Microsoft Blog

The Keyword by Google