Hackers Now Using QR Codes for Phishing Attacks

Hackers Now Using QR Codes for Phishing Attacks

How hacker can get you ?

You have all seen at least once those images made of small black squares. QR code has become a regular part of life for many and during the pandemic they finally hit mass adoption. We scan them, naturally, without thinking. Here is the problem…

What is a QR Code ?

A QR Code or Quick Response Code is a matrix barcode, that is to say on two dimensions. This feature allows it to store a large amount of information (up to 4296 alphanumeric characters) as links and even trigger certain actions (connect to a Wlan network, pay, start a call …). It is composed of three anchors indicating the position of the QRCode and an alternation of black and white squares that contain a system of headers and data as described in the ISO 18004 standard.

It was originally designed in 1994 by Masahiro Hara, an employee of Toyota, to simplify the traceability of automotive parts in the production lines of the Japanese firm. Its ability to obtain data quickly made it popular with the arrival of smartphones. Since the Covid-19 pandemic, it has become a standard feature. These sets of seemingly harmless little squares can now compromise the IT security of small and large companies …

How is it hijacked ?

Its greatest asset is also its greatest weakness… Indeed, the speed that resides even in its name is a huge flaw. The user doesn’t have the time to scan the link contained in the code, he is immediately redirected to the site, without the url even being displayed on his screen. It is therefore possible to exploit this weakness and couple it with human flaws, through social engineering, to make a formidable phishing attack.

Here’s a very concrete example for businesses today: Imagine an email from Microsoft Teams, asking you to scan a dual authentication QR Code to confirm that you are the account holder. Once you scan it, you enter your password to confirm your identity. It’s already too late, what appeared to be a legitimate verification has actually stolen your credentials. Indeed, the QR Code sent in the email automatically redirected you to a fake phishing page, and lulled by the efficient QR Code mechanism, you didn’t even pay attention…

And it’s not only over-trained hackers who can exploit these QR Codes for malicious purposes! Here are some examples from the news : 

  • In Texas, scammers stuck QR Codes on city parking meters, linking to a fake parking payment site, to extort money from motorists.
  • In Germany, hackers have used QR codes to trick bank customers into giving out their bank credentials:

What are the advantages of this new phishing method ?

Beyond its freshness (the lack of caution of the users), the QR Code presents two advantages from the Red Team point of view in a phishing campaign: the user does not have to read the link directly, which can allow to send back to sites whose URL seems suspicious, or at least could have created mistrust among the users who are more and more aware thanks to the training campaigns. As said before, it is now common to encounter such sites, which trivializes the action to be performed for the user and thus facilitates the hacker’s work.

The other advantage, and not the least, is what we call escape. Escape is the ability of a phishing vector (email, QR code, SMS) to make the user leave the environment in which he is more secure. More concretely, in a company, redirecting to a fraudulent site and having the counter-detection tools let this request through. This is the fateful moment when the criminal passes through customs with his loot without the security checks having found anything illicit to blame him for.

In the case of QR codes, there is no tool or measure to verify (on a technical scale) that a QR code is fraudulent, simply because it is very complex to analyze the very presence of a QR code in an email, how much more the data it contains. Moreover, the user scan with his smartphone. However, this terminal is very rarely equipped with a checking and security system for links and web pages. The attacker has therefore succeeded in forcing the victim to escape from any environment with security checks. All the responsibility rely on the human who will scan the code…

These two elements are important advantages (from the hacker’s or the red team’s point of view) to increase the success rate of a phishing campaign, even among informed users. Knowing that it sometimes takes only one victim to disrupt an entire information system and damage a company (it was recently the case for Uber), so it is essential to remedy this new form of phishing.

Tips to Prevent Phishing​

How to prevent it ?

 1. Take the time to check the content of the QR Code:

 As explained earlier, the biggest danger of the QR Code lies in the fact that it is fast enough to don’t let the time for user to analyze the link it redirects to. Take a few moments to inspect the content of the QR Code. Prefer a reader application that shows you the target link before redirecting you and apply the verification methods taught for classic phishing methods. If in doubt, you can also check with a third-party tool such as isitphishing or with the people in charge of IT security at your company.

2. Check the authenticity of the QR Code:

 The origin of the QR Code can indicate its fraudulent nature. In the case of an email, check the sender of the email. Is it known? Is it genuine? Does he have a reason to contact you and ask you to perform an action? In the case of a physical QR Code (printed on a document or stuck on a parking meter for example), check that this QRCode was originally present, that it does not cover another original one or that it is well integrated in the rest of the document.

3. Go back manually to a known site:

If in doubt when entering confidential data, feel free to exit the current navigation page and return to the relevant site by manually typing in your usual access links yourself.

4. Use a password manager:

Beyond its interests in terms of password hygiene, a password manager will only be activated if you are browsing on a site you already know. For example, if you have saved your Microsoft Teams credentials and it is not offered to you on a Microsoft login page, you are not on an authentic page.

5. Train yourself to recognize phishing campaigns:

Regularly informing your employees and conducting training campaigns can effectively reduce the risk of phishing attacks. This way, your employees will remain alert to the new methods used by hackers against organizations.

QR codes are a new and very powerful phishing vector that can be summarized as follows: You didn’t see anything, your detection system didn’t see anything, and yet… you bit.

To go further ...

Launch Phishing Security Test

There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced the hackers techniques being used are also more advanced.

There is a common misconception that phishing is easy to spot and that only less technically-savvy people will fall victim but this is far from the truth. A phishing test holds the dual benefit of measuring your company’s risk and training your employees on what to look for in these attacks. Phishing Security Test familiarise employees with cyber threats to create a line of defence and push for a safer environment. In order to combat these threats, staff need to understand the telltale signs of an attack, the common techniques criminals use and what to do when they believe they’ve received a phish.

Nathan & Alan
Security Testing Team