QR code usage is on the up in the pandemic, but malicious versions are not something that most people know much about.
Quick Response (QR) codes are very popular, & hackers are starting to exploit this. According to a new study, people are mostly ignorant to how QR codes can be easily abused to launch digital attacks.
The reason QR code use is rocketing is because more physical businesses are not using paper brochures, menus & leaflets that could accelerate the spread of COVID-19. They are using QR codes as an alternative.
MobileIron warns that these QR codes can be malicious. In a study published Tues., the mobile device management firms found that 71% of survey respondents said they cannot distinguish between a legitimate & malicious QR code.
QR codes (the “QR” means “Quick Response”) lets users to scan a special code with their phone’s camera, to automatically perform an action.
These shortcuts usually open a website.
However, they can be programmed to perform any no. of mobile actions, including drafting emails, placing calls, opening marketing collateral, opening a location on a map & automatically starting navigation, opening a Facebook, Twitter or LinkedIn profile page or starting any action from any app, e.g. opening PayPal with a pre-seeded payment handle.
Observes a survey from MobileIron, of more than 2,100 consumers across the US & the UK, QR codes are becoming fully integrated into people’s lives, especially as the pandemic continues to rage. 64% of respondents suggested that QR codes make life easier in a no-touch world. For instance, a common application is for restaurants to link to virtual menus rather than provide real ones.
47% of respondents have noticed an increase in their QR code use since COVID-19 hit. About 84% of people said they have scanned a QR code before, with 32% having done so in the past week & 26% having done so in the last month.
The QR codes are appealing targets to hackers because the mobile user interface prompts users to take immediate actions, while limiting the amount of information.
Mobile users are less careful than they are when using a laptop or desktop. 51% of respondents in the survey suggested they do not have, or do not know, if they have security software installed on their mobile devices.
“Hackers are launching attacks across mobile-threat vectors, including emails, texts & SMS messages, instant messages, social media & other modes of communication,” observed Alex Mosher, Global VP of Solutions at MobileIron, in new data released Tues. “I expect we’ll soon see an onslaught of attacks via QR codes.”
Example attack situations include an attacker embedding a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned, he added. The QR code could point to a phishing site that looks to harvest credentials, or other personal & corporate information.
67% in the survey are aware that QR codes can open a URL, but they are less aware of the other actions that QR codes can start. 19% believe scanning a QR code can draft an email; 20% believe scanning a QR code can start a phone call, & 24% believe scanning a QR code can initiate a text message. A 3rd, 35%, commented they do not know whether hackers can even target victims using a QR code.
This area deserves greater attention, especially because 53% of survey respondents commented they would like to see QR codes used more widely in the future. This includes potentially risky applications, like voting. 40% of people in the survey said they would vote using a QR code received in the mail. However, Apple Pay users may soon be able to make payments via QR codes, using Apple Wallet.
“Companies need to urgently rethink their security strategies to focus on mobile devices,” concluded Mosher.