Skip to content

QR Codes are an Emerging Cyberattack Vector

QR Codes

It’s 2023, and QR codes have been ubiquitous for well over a decade now.

In a world where everyone carries a smartphone with built-in cameras, QR codes are so convenient. From downloading a specific mobile app for a particular restaurant you’re visiting to viewing more detailed nutritional information about a frozen dinner, QR codes have a huge range of applications.

Most QR codes convert to internet URLs that can be launched in a web browser from your camera app when you scan it. But their origins are much older than the iPhone and even older than when most people started using the web. First, Norman Joseph Woodland and Bernard Silver invented the barcode in 1952. The standard gradually penetrated global retail supply chains until they became commonplace on every consumer good possible by the 1980s.

But like anything invented in the 1950s, barcodes are limited in how much data they can communicate. They’re still commonly used today to associate consumer goods with SKUs that are scanned at the cash register. They can only encode a number that’s several or over a dozen digits long, depending on the format. Unique identifiers can be made for possibly a billion products or more. Barcodes are limited in their ability to encode text in the Latin alphabet, as well as in the Japanese Kanji and Kana character sets. Barcodes, including the most common UPC standards, are a one-dimensional encoding format.

The limitations of one-dimensional barcodes were resolved by Masahiro Hara of Denso, a Japanese auto parts manufacturer, in 1994. He invented the QR code, one of the earliest two-dimensional or matrix visual encoding formats. Many other two-dimensional formats have emerged since, such as Snapchat’s Snapcode, but QR codes are by far the most common.

A common method used in phishing attacks is to include hyperlinks in emails, text messages, or social media posts. Many web pages and links to mobile application downloads can be malware. Cybercriminals are constantly looking for new ways to exploit their targets. QR codes have become a popular tool for cyberattacks as they can be used to trick users into interacting with malicious URLs. As a result, the use of QR codes in cyberattacks has become a significant problem that cannot be ignored. 

SlashNext focuses on threat intelligence related to phishing, and in their recent report, they highlight how cybercriminals have been using QR codes in their cyberattacks. They identify two basic types of QR codes: static and dynamic. Static QR codes contain information that doesn’t change, such as a URL for a specific website, or a product identifier. Dynamic QR codes can be translated to one URL, but the content behind the URL can change significantly over time. 

There are many benign uses of dynamic QR codes, such as pointing to an ever-changing weekly flyer. However, a previously benign URL can host malicious content at any point in the future.

Phishing and vishing (voice phishing over the phone) are known cyberattacks that aim to steal sensitive information from individuals. However, the term "quishing" is a relatively new addition to this list. It refers to QR codes that are used to conduct phishing attacks. In a recent report by SlashNext, they identified the typical process of a quishing attack.

  • A cyberattacker creates a QR code that links to malware, whether a malicious webpage or mobile app. 
  • A cyberattacker distributes their QR code through printed media like posters or restaurant menus, or through digital media such as emails and social media posts.
  • Like all phishing, the QR code is attached to something that makes the target think that it’s something useful or fun instead of something harmful.
  • When the target scans the QR code on their phone, a phishing webpage or mobile malware is downloaded.
  • Through phished credentials or mobile malware installation, the cyberattacker acquires dangerous access to their target’s phone or online accounts.

In August 2023, researchers identified a phishing campaign that targeted many companies, including a major American energy firm. The campaign impersonated Microsoft with quishing links, and the media used in the campaign said things like, “You are required to set up your dual-factor authentication on your email account today, 06/21/2023. This is an ongoing process for every email account to mitigate email theft and protect your email account. Scan the QR code above with your phone camera to get started.”

We can safely assume that quishing attacks are becoming commonplace. The only major difference between quishing and most other kinds of phishing is that it uses QR codes.

Fortunately, PhishID is capable of protecting your organization from quishing attacks.

PhishID’s technology implements proprietary machine learning AI. When PhishID is operational in your school network and on your institution's different endpoints, PhishID can identify if a QR code link is harmful and alert users if it appears dubious.

Staying on top of the ever-evolving cyber threat landscape is crucial. Be prepared for howemerging cyber exploits can take advantage of convenient technologies like QR codes.