Does QRosity kill the cat?
You’re out and about and stumble upon a colorful sticker with a QR code and a tempting invitation written all over it: “Scan me!” You could take your phone out and see where the QR leads you, after all, it’s probably just a PR stunt redirecting to a music band or a restaurant, or you could think twice because it’s just another invitation to malware paradise.
Lately, Quick Response Codes, or QR codes as they’re better known, have started to pop up just about everywhere, and the COVID-19 pandemic just pushed things even further. We have QR certificates, QR tickets, QR restaurant menus. To check the password of your new router you have to scan the QR code on a sticker. To confirm your identity with a streaming platform you simply scan the screen of your TV. To quickly visit a website link, you also scan a QR. To enter a contest, you scan a billboard. It’s fast, it’s convenient, it’s not rocket science and people love it. In fact, they love it so much, that according to a 2020 survey among US and UK users, 73% of people interviewed had scanned a QR in the last month. But convenience comes at a price: unlike a regular URL you click on a computer, you have no clue of what’s behind the little black and white pixelated square. It could be harmless, but it could also mean trouble, for example, a URL leading to malware, or a phishing site, or another questionable website.
Case in point: Heinz. In 2014 the food giant printed special QR codes on all ketchup bottles prompting users to visit a website and design their own personalized label. The problem is they forgot to renew their registration of the domain name. Another party immediately seized the opportunity and started using the domain, in turn that led to a very confused German gentleman watching an inappropriate video on his lunch break.
But saucy ketchup isn’t the biggest problem when dealing with a QR code. Cyber attackers can also deliver malicious QR codes via instant messages, social media, email or SMS. They can print dummy QR codes and stick them over legitimate ones, or they can exploit bugs in a code reader, like the ones discovered in IOS 11. From there on, they can trick you into infecting your phone with malware or lead you to a phishing site to steal your credentials. A particularly worrying case of QR exploitation is that of bitcoin thieves using fake Bitcoin-to-QR code generators to scam victims out of 7 BTC ($45,000).
Even without a security issue, there may still be privacy issues. According to the National Restaurant Association, half of the full-service restaurants in the US use scannable QR codes. But every time you scan a menu, you also give some personal information. As The New York Times reported, QR codes have increased businesses' ability to track and analyze customer behavior, with some apps collecting personal data such as order history, emails, and phone numbers. That data can then be kept for in-house use or can be sold to marketers and advertisers.
So, what should you do? Should you stop going to restaurants? Should you stop using QR codes altogether? Of course not. But you could be more cautious. Never scan a QR code from a source you don’t trust, whether it is in an email, a message, or a physical place. Never log into an app using a QR code, it could be phishing. Use a secure QR reader application and a reliable QR code generating tool. When scanning a physical QR sticker, if possible, feel the QR code to see if a sticker has been applied over it.
However, accidents can still happen even to the most cautious of us, and your mobile phone is definitely an attractive target for cybercriminals. That’s why Bitdefender Mobile Security, for both Android and iOS users, protects your device from a wide range of attacks and lets you enjoy your phone even more.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021