How can you safeguard yourself from harmful versions of these mobile shortcuts, and what should we be on the lookout for?
You’re right if it seems like QR codes are now present everywhere. Businesses all around the world have benefited from QR codes since the Japanese auto industry utilized them to expedite manufacturing procedures. Every industry, from retail to healthcare, is now using them as a quick and simple way to link people to websites, promotional campaigns, store discounts, patient medical records, mobile payments, and much more. They are easy to deploy and can be applied to almost anything.
Not only are QR codes affordable and easy to use. Additionally, they are crucial, particularly in a world where contactless purchases have taken over. Additionally, the majority of us now have smartphones, and almost all of them can read QR codes natively without the need for a third-party program. Clearly, QR codes are having a moment.
𝐖𝐡𝐚𝐭 𝐄𝐱𝐚𝐜𝐭𝐥𝐲 𝐀𝐫𝐞 𝐭𝐡𝐞 𝐑𝐢𝐬𝐤𝐬 𝐨𝐟 𝐐𝐑 𝐂𝐨𝐝𝐞𝐬?
To move the pixelated dots in the code’s matrix, a hacker would need to have some serious talents. Instead, hackers have discovered a much simpler technique. This entails inserting harmful software onto QR codes (which can be generated by free tools widely available on the internet). These codes all appear the same to the normal user, however a rogue QR code might lead a user to a phony website. On a smartphone, it can also be used to steal personal information or run malicious software that causes the following:
- 𝐀𝐝𝐝 𝐚 𝐜𝐨𝐧𝐭𝐚𝐜𝐭 𝐥𝐢𝐬𝐭𝐢𝐧𝐠: Hackers can add a new contact listing on the user’s phone and use it to launch a spear phishing or other personalized attack.
- 𝐈𝐧𝐢𝐭𝐢𝐚𝐭𝐞 𝐚 𝐩𝐡𝐨𝐧𝐞 𝐜𝐚𝐥𝐥:By triggering a call to the scammer, this type of exploit can expose the phone number to a bad actor.
- Text someone: In addition to sending a text message to a malicious recipient, a user’s contacts could also receive a malicious text from a scammer.
- 𝐖𝐫𝐢𝐭𝐞 𝐚𝐧 𝐞𝐦𝐚𝐢𝐥: Similar to a malicious text, a hacker can draft an email and populate the recipient and subject lines. Hackers could target the user’s work email if the device lacks mobile threat protection.
- 𝐌𝐚𝐤𝐞 𝐚 𝐩𝐚𝐲𝐦𝐞𝐧𝐭: If the QR code is malicious, it could allow hackers to automatically send a payment and capture the user’s personal financial data.
- 𝐑𝐞𝐯𝐞𝐚𝐥 𝐭𝐡𝐞 𝐮𝐬𝐞𝐫’𝐬 𝐥𝐨𝐜𝐚𝐭𝐢𝐨𝐧: Malicious software can silently track the user’s geolocation and send this data to an app or website.
- 𝐅𝐨𝐥𝐥𝐨𝐰 𝐬𝐨𝐜𝐢𝐚𝐥-𝐦𝐞𝐝𝐢𝐚 𝐚𝐜𝐜𝐨𝐮𝐧𝐭𝐬:The user’s social media accounts can be directed to follow a malicious account, which can then expose the user’s personal information and contacts.
- 𝐀𝐝𝐝 𝐚 𝐩𝐫𝐞𝐟𝐞𝐫𝐫𝐞𝐝 𝐖𝐢-𝐅𝐢 𝐧𝐞𝐭𝐰𝐨𝐫𝐤: A compromised network can be added to the device’s preferred network list and include a credential that automatically connects the device to that network.
𝐄𝐚𝐬𝐲 𝐓𝐡𝐢𝐧𝐠𝐬 𝐖𝐞 𝐂𝐚𝐧 𝐀𝐥𝐥 𝐃𝐨 𝐭𝐨 𝐌𝐢𝐧𝐢𝐦𝐢𝐬𝐞 𝐭𝐡𝐞 𝐑𝐢𝐬𝐤𝐬
As scary as these exploits are, they aren’t inevitable. Educating people about the risks of QR codes is a good first step, but companies also need to step up their mobile security game to protect against threats like spear phishing and device takeovers.
𝐖𝐡𝐚𝐭 𝐔𝐬𝐞𝐫𝐬 𝐂𝐚𝐧 𝐃𝐨
- Take a good look first: Make sure the QR code is legitimate, especially printed codes, which can be pasted over with a different (and potentially malicious) code.
- Only scan codes from trusted entities: Mobile users should stick to scanning codes that only come from trusted senders. Pay attention to red flags like a web address that differs from the company URL — there’s a good chance it links to a malicious site.
- Watch out for bit.ly links: Check the URL of a bit.ly link that appears after scanning a QR code. These links are often used to disguise malicious URLs, but they can be safely previewed by adding a plus symbol (“+”) at the end of the URL.
𝐖𝐡𝐚𝐭 𝐂𝐨𝐦𝐩𝐚𝐧𝐢𝐞𝐬 𝐂𝐚𝐧 𝐃𝐨
Ideally, your business has a mobile threat defense system that can guard against man-in-the-middle assaults, phishing scams, device takeovers, and harmful app downloads. (If not, contact us; we can assist.) Due to the fact that enterprise security is only as strong as your company’s weakest link, you must make sure that any solution is installed on every device that accesses corporate apps and data. Additionally, inform users of what it doesn’t defend against and what it does.
If nothing else, this is the moment to think about doing away with password-based access to corporate and cloud programs, which is currently one of the leading sources of data breaches. Password less multi-factor authentication makes everyone (except cybercriminals) much happier and more productive because it removes both the threat of stolen passwords and the effort of maintaining them.