How attackers exploit QR codes and how to mitigate the risk

How attackers exploit QR codes and how to mitigate the risk

Among the many technological impacts of the coronavirus pandemic is a rise in the use of QR (Quick-Respons) codes. Naturally, bad actors are taking advantage of this opportunity and the vulnerabilities of this mobile technology to launch attacks. Security teams need to be on top of this threat. The QRurb Your Enthusiasm 2021 report by endpoint management and security provider Ivanti shows that global QR code usage and use cases are up. That’s in large part because the codes make life easier in a world in which contactless transactions have become desired or required.

However, organizations lag behind on security against QR-code-enabled threats. For example, 83% of respondents said they had used a QR code for a financial transaction in the past three months, but most of them were unaware of the risks. Only 47% knew that scanning a QR code could open a URL and 37% knew that it could download an application. Consumers have scanned codes at retail stores, restaurants, bars, and other establishments, and many want to see QR codes used more broadly as a payment method in the future. At the same time, the report noted, more people are using their own unsecured devices to connect with others, interact with a variety of cloud-based applications and services, and stay productive as they work remotely. It said they’re also using their mobile devices to scan QR codes for everyday tasks, putting themselves and enterprise resources at risk.

QR exploitation is simple and effective

Attackers are capitalizing on security gaps during the pandemic, the report says, and increasingly targeting mobile devices with sophisticated attacks. Users are often distracted when on their mobile devices, making them more likely to be victimized by attacks. Attackers can easily embed a malicious URL containing custom malware into a QR code that could then exfiltrate data from a mobile device when scanned, the report says. They could also embed a malicious URL into a QR code that directs to a phishing site and encourages users to divulge their credentials.

“By their very nature, QR codes are not human-readable. Therefore, the ability to alter a QR code to point to an alternative resource without being detected is simple and highly effective,” says Alex Mosher, global vice president at MobileIron. Nearly three-quarters of those surveyed in the study can’t distinguish between a legitimate and malicious QR code. While most are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate, the report said.

Mobile device attacks threaten both individuals and businesses, Mosher says. “A successful attack on an employee’s personal mobile device could result in that individual’s personal information being compromised or financial resources being depleted, as well as sensitive corporate data being leaked,” he says.

How attackers exploit QR codes

What can make QR code security threats especially problematic is the element of surprise among unsuspecting users. “I’m not aware of any direct attacks to QR codes, but there have been plenty of examples of attackers utilizing their own QR codes in the course of attacks,” says Chris Sherman, senior industry analyst at Forrester Research.” The main issue is that QR codes can initiate several actions on the user’s device, such as opening a website, adding a contact, or composing an email, but the user often has no idea what will happen when they scan the code,” he says. “Normally you can view the URL before clicking on it, but this isn’t always the case with QR codes.”

A common attack involves placing a malicious QR code in public, sometimes covering up a legitimate QR code, and when unsuspecting users scan the code they are sent to a malicious web page that could host an exploit kit, Sherman says. This can lead to further device compromise or possibly a spoofed login page to steal user credentials.”This form of phishing is the most common form of QR exploitation,” Sherman says. QR code exploitation that leads to credential theft, device compromise or data theft, and malicious surveillance are the top concerns to both enterprises and consumers, he says.

If QR codes lead to payment sites, then users might divulge their passwords and other personal information that could fall into the wrong hands. “Many websites do drive-by download, so mere presence on the site can start malicious software download,” says Rahul Telang, professor of information systems at Carnegie Mellon University’s Heinz College. “Mobile devices in general tend to be less secure than laptops or computers. Since QR codes are used on mobile devices, [the] possibility of vulnerability is higher, too.” Because many of these mobile devices are used within the context of enterprise IT, the infiltration of the devices can become a security weak point for organizations, he says.

Recently the CEO of a British technology company warned the UK government about potential serious flaws in the security of personal information and data used in a new contact tracing app that relies on QR code scanning technology. The technology can be subject to a process called “attagging” or cloning, according to Louis James Davis, CEO of VST Enterprises. With attagging, a genuine QR code is replaced by a cloned QR code that redirects users to a similar website where personal data can be intercepted and breached.

How QR codes enable qishing

Qishing is the term for phishing attempts that use QR codes. Attackers like QR codes because they can direct unsuspecting victims to a malicious website or trick them into downloading malware and do it in a way that is less detectable than other phishing methods. According to recent Trustwave SpiderLabs research, QR codes require shorter HTML source code to embed a malicious link. Most email filters check message content to block suspicious URLs, so qishing presents fewer “red flags” for defenses to detect.

Qishing emails appear similar to phishing emails, the main exception being the inclusion of a QR code. Both mimic messages from legitimate companies. As the SpiderLabs research points out, qishing emails are often disguised as multifactor authentication notifications from popular brands such as Microsoft or DocuSign. The attacker hopes to trick the victim into thinking their session has expired and they must authenticate again. Using the QR code sends the victim to a fake web page that asks for account and credential information.

How to mitigate the risk of QR code exploits

Individuals and organizations can take steps to help mitigate the risk of QR code security threats. Some of this involves using common sense. For example, users can make determinations about the legitimacy of codes prior to scanning them. “Before scanning a code, especially one on printed material in a public place, make sure it hasn’t been pasted over with a different–and potentially malicious–code,” Mosher says. In fact, it’s best not to use QR codes that look to be altered in any way, Sherman says.
In addition, “Pay attention to the URL you’re being directed to, although this is not always possible to do before visiting the site, as some codes won’t show the URL beforehand,” Sherman says. “Never log into an app using a QR code.

“Because phishing attacks are among the more significant risks with QR codes, users need to be vigilant in making sure they are on a legitimate site, Telang says. “Enterprises have to be careful and should have a unified endpoint solution that gives them [the] ability to secure every device without affecting productivity,” he says.
It’s also critical to have device security such as mobile threat defense and exploit protection on all devices used to access corporate resources, Sherman adds.

Another good practice is to make sure the organization presenting any QR codes to the public is legitimate. “If the source of the QR code seems sketchy, don’t scan,” Mosher says. It’s best to avoid URLs that differ from the legitimate URL of a company, especially if it redirects a user to a different site, he says.

In general, cybersecurity and IT teams–and enterprises as a whole–need to be aware of the risks involved with QR codes. That’s especially true with the increasing use of mobile devices and apps.”Use of mobile has become much more prevalent, especially during this pandemic,” Telang says. “Add this to the fact that QR code use has exploded as well. It is natural that unscrupulous hackers will try to take advantage of both these facts.”

Mobile Security, Security, Vulnerabilities

Go to Source