Categories: Security

Can a QR Code Be Used in a Phishing Attack

QR codes, or Quick Response codes, are an easy method for companies to transmit data to customers. Similar to a bar code, users can scan the QR code to save contact information, visit a URL, or compose a message. These codes are useful for companies and consumers, as they save time and prevent users from manually typing out texts. Unfortunately, relying on QR codes means trusting that the link is safe, an assumption which is sometimes not true. Make sure that the QR code you scan is trustworthy and free of malware by running the Full Virus Scan feature after:

Rather than taking a chance with an unknown code, you should rely on this complete virus scan to check for threats on your smartphone and SD card. Although QR codes cannot be hacked, they’re often plagued by phishing attempts, spelling out trouble for mobile users.

Phishing Tactics
Though more involved than phishing through emails or false site links, QR phishing is still the biggest security breach when it comes to QR codes. These codes are most often displayed in public places, used to direct smartphone users to a company’s website. Hackers will replace these QR code posters or produce their own false posters, both with fake codes which will redirect mobile users to phishing websites. These websites will often appear identical to the real deal; the layout of mobile websites will make it difficult to check the website’s full address.

In one instance, a malicious QR code in Russia sent a text message to premium numbers, an attack which charged each number $5 per text message. In these and similar instances, most attacks targeted Android devices. In other situations, websites that users were directed to ran browser exploits, a malicious code which takes advantage of vulnerabilities in operating systems. Browser exploits are able to enable microphone and camera access, send emails, and join a botnet in order to carry out a DDoS attack on a website. Due to the nature of browser exploits, Android users will be unable to tell that their device is being attacked.

Protect Yourself
To protect yourself, and your phone, from malicious QR codes, make sure to fully examine the poster from which you’re scanning the code. Many times scammers will place the fake QR code above the real one, which can be checked by touching the poster. Be suspicious of the page you land on through the QR code and never share personal or login information. While manually typing in the URL may be more time consuming, this is often the safest way to access a website.

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.