Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply put scam QR codes on top to redirect users to an anti-vaccination website, according to Australian local police
This man faces jail time, but the incident focuses on the growing cyber-abuse of QR codes.
He now faces 2 counts of “obstructing operations carried out relative to COVID-19 under the Australian Emergency Management Act,” the S. Australia Police explained in the statement announcing the arrest. His arrest may just be the start: There are reports of other anti-vax campaigners doing the same thing.
Fake QR Codes
Anti-vaxxers are responsible for a QR code scam in Blackwood, near Adelaide too. Fake QR codes were placed over genuine COVID safe check-ins & once scanned, it is understood it led people to a website with information against vaccinations. 7NEWS Adelaide at 6pm | https://t.co/8ftPfFYTVQ #7NEWS pic.twitter.com/NFAMNTdCrz
— 7NEWS Adelaide (@7NewsAdelaide) April 27, 2021
Police added an additional warning to would-be QR code scammers: “Any person found to be tampering or obstructing with business QR codes will likely face arrest & court penalty of up to Au $10k.”
No Personal Data
The police said no personal data was breached, but the incident shows that truly all an attacker needs is a printer & a pack of Avery labels to do real damage.
In this case, the QR codes were being used by the South Australian Govt’s official Covid Safe app to access a device’s camera, scan the code & collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported.
That is a lot of personal data linked to a single QR code just waiting to be stolen.
“In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community,” Bill Harrod, vice president of public sector at Ivanti, outlined. “While this is concerning, the outcome could have been far more perilous.”
QR Code Use & Abuse Rising
Despite the apparent ease with which they can be abused, QR code use is on the rise. Just this month, Ivanti released a report that found 57% of survey respondents across China, France, Germany, Japan, the UK & the US had increased their QR code usage since Mar. 2020.
QR codes have become a quick, contactless way to read menus, check into appointments etc. since the start of the COVID-19 pandemic. Where there’s valuable data left un-protected, cyber-criminals are guaranteed to show up right on time.
“Hackers have been known to create adhesive labels with malicious QR codes & paste them over legitimate QR codes, allowing them to intercept or sit in the middle of transactions & capture payment information,” Harrod commented.
Ivanti noted in its report this type of “adhesive” malicious QR code attack had already been observed being used to steal payment information in places like restaurants and parking garages. Malicious QR codes are also used to steal credentials in phishing & malware attacks.
The US Army’s Major Cyber-Crime Unit issued a warning in Mar. & also cautioned “users to be wary of suspicious quick response codes.”
They recommended users avoid scanning random QR codes, be extremely cautious about entering any credentials after scanning & suggests if a QR code appears to be applied on top of another, ask about its legitimacy.
“The problem is that, by design, QR codes are not human-readable, & therefore nearly impossible to detect if the link to which the quick-read code directs the user is safe or malicious,” Harrod explained.
“For years, we have encouraged users to be aware of links before they click on them & to look for tell-tale signs in the URL that it may not be trustworthy. However, with QR codes, there is no way for users to know before they get redirected.”
Check QR Codes
Harrod stated that based on Ivanti’s research, users should preview any bit.ly links that appear after scanning a QR code.
“Bit.ly is a free URL shortening service that can also be used by hackers to disguise malicious URLs,” Harrod advised. “The good news is you can safely preview a bit.ly link by adding a plus symbol (+) at the end of the URL. This will direct you to a page displaying the link’s information so you can determine if it’s legitimate or not.”
He added that, when possible, avoid the security risk of QR codes altogether by opening a browser & viewing the information through a business website.
It is also critical that users understand the security protections on their device, he said, adding that Ivanti found 49% of users said they have no idea whether they have any security installed at all.
“Ivanti’s recent research shows that users typically have no idea what kind of security exists on their mobile devices, which can create huge security gaps on devices that also access company apps & data,” Harrod warned.
“Ensure that you have software active on your device that will help to detect & remediate malicious code & threats to the mobile device.”