Take a fresh look at your lifestyle.

Risks of using QRCodes and how to reduce them – not as safe as you think

QR codes have been around us for a long time and are often used to store different types of information. These codes are a popular means of storing and exchanging information, and you can find them almost everywhere. Since their arrival in the 1990s, people and companies have used them to store and distribute information from restaurants, hospitals and packaging. They are smart, efficient and easy to use.

Moreover, as they allow for a virtual exchange of information, the emergence of the coronavirus pandemic has somewhat increased their use. However, within the convenience they provide, the risks and dangers of using QR codes are often overlooked and forgotten.


Want more technical news? Subscribe to the ComputingEdge newsletter today!


Why are QR codes not secure?

There are several incidents related to the exploitation and misuse of QR codes. Several hackers and threat actors have used QR codes as an attack vector, including US hacker Jester. They converted their Twitter profile into a QR code and coded it to search the scanner’s phone for activities on various extremist platforms. If extremist activity was detected on the person’s phone, the code programmatically increased user privileges and stole information from their phone.

The threat actor used the combination of social engineering and the QR technology for a malicious purpose. Apart from that, there are several instances where threat actors misuse QR codes as an attack vector in various respects.

As the use of QR codes increased with the pandemic, threat actors have seized that opportunity to further leverage this handy technology for a sinister purpose. Research from September 2020 reveals the significant security risks that QR codes pose to both businesses and individuals. The most common ways threat actors abuse QR codes are:

  • Embed QR codes with malicious URLs
  • Replace legitimate QR codes with compromised ones by pasting their QR codes on pre-existing ones.

In this way, cyber criminals manage to carry out various attacks on people. The most common security risks with QR codes are as follows:

1. Malware Attacks

Cyber ​​criminals can embed malicious URLs in publicly available QR codes, infecting anyone who scans them with malware. Sometimes just visiting the website can cause malware to download in the background. Apart from that, they can also send phishing emails containing QR codes that re-infect the user’s device with malware when scanned.

The malware can then harm users in various ways. It can open back doors for more malware infections or quietly steal the target’s information and send it to the cyber criminals. Sometimes these malware infections can even be ransomware attacks that take your information hostage for ransom.

Moreover, hacks can also use these malware infections to access the target device’s location and contact list data. Spyware or a tracker can track the targets’ every move or open their webcams to run live feeds without them knowing.

2. Phishing Attacks

QR codes are also used to serve in phishing attacks, a problem known as QPhishing. A cybercriminal can replace a legitimate QR code with one embedded in a phishing website URL. The phishing website then asks users to reveal the personal information that criminals sell over the dark web. Apart from that, they can also force you to pay for materials which gives them financial gain.

These phishing websites have minor differences from legitimate websites, making them appear authentic to the victim. They are mainly exact replicas of the original with minor differences, such as the “.com” in the domain name can be replaced with something else like “ai” or “in”.

3. Bugs in QR Codes

Sometimes it is also not a threat actor trying to exploit users. Just a bug in a QR code reader application. Hackers can use the bug to exploit cameras or sensors in phones or other devices. Threat actors can also exploit a bug or issue within the legitimate URLs that the QR code is associated with.

This incident happened to Heinz in September 2015 when their QR code led users to inappropriate websites. The QR code was part of their promotional campaign that allowed users to create custom labels for Ketchup bottles once they reached the site. However, the QR code led users to an entirely different and inappropriate website.

The problem was that Heinz had not renewed their domain name registration. When the domain name became available, a third party started using it.

4. Financial Theft

QR codes have long been an efficient way to transact and pay bills. Its use has grown exponentially during the covid-19 pandemic to promote “contactless” communication and information exchange methods. QR codes are present at restaurants and even gas stations where customers can pay. Within such public places, any threat actor can swap a legitimate QR code with a fake one so that the transactions end up in their bank account.

How to maintain security with QR codes?

QR codes are popular, especially in these times with the covid-19 pandemic. These QR codes are the new standard for information exchange as they enable virtual communication, which is much needed today. Given the security risks involved, ensure privacy and security while using these QR codes is best. Some of the best possible ways to mitigate these risks include the following:

1. Only scan QR codes from trusted sources.

QR codes often spark curiosity that hackers and criminals often use. It is therefore best to remain cautious and scan your QR codes only from trusted sources. This would ensure protection against malware and phishing attacks.

To ensure that the source is trusted for trust, a user should check the website URL and security, such as looking for SSL certificates. Only after it has been confirmed that these security measures are intact should an individual share information or transact within that particular site.

2. Use QR scanners that display site URLs

Most QR scanners display the website immediately after scanning the code. It is mainly third-party scanners that have this feature, and while it may seem useful, it is dangerous because the link can be malicious. It is therefore best to use built-in QR scanners that come in smartphone cameras. These scanners display the sitelink before opening so that the user can close the link before opening it if it appears suspicious.

3. Update your device’s security regularly.

Third-party software patches and security applications provide long-term protection. Installing and regularly updating your device’s security software patches can help maintain security. In addition, it is also crucial to enable third-party protection through robust anti-malware software. It would provide maximum protection against malicious activity and immediately notify you of suspicious activity, such as unauthorized access to the device’s data.

4. Stay vigilant

While making online transactions via QR codes, remain vigilant and pay close attention to details. Closely inspects the QR code to see if it has been swapped or otherwise tampered with. If you find that there is something wrong with the QR code, it is best not to use it and look for other transaction methods.

Last words

Cybersecurity concerns are constantly increasing, especially with the spread of the coronavirus. Within the world’s haphazard shift to digitization, many criminals have devised innovative attack methods to exploit both people and organizations. Risks and threats from QR codes are other examples of this exploitation. Therefore, in the midst of all these problems, it is best to try to ensure security and privacy by remaining vigilant.

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘2406379906149876’);
fbq(‘track’, ‘PageView’);

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘721875948349197’);
fbq(‘track’, ‘PageView’);