QR Code – Falling Prey to Malicious Websites

by Gosafeonline | 12 April 2018

Quick Response Code (QR code) is a two-dimensional matrix barcode that stores virtually any type of data. It has gained popularity in consumer advertising due to its fast readability and large storage capability as compared to traditional barcodes. QR code can be commonly found on websites, television advertisements, product packaging, posters, magazines and newspapers.  To decode, users simply need to scan the QR code image using any device with built-in camera (e.g. smart phone) and QR code reader application installed.  It is commonly used to encode information such as hyperlinks to websites, Facebook pages, YouTube videos and app downloads, as well as contact details and text information for the following reasons:

1. Accessing Website's URL: It saves users the hassle of writing down or manually typing the web address. Most QR reader application will detect the URL and automatically launch the web browser to direct users to the website.

2. Triggering App Launch: Most mobile devices have a set of basic functions including address book, calendar, email, texting and Internet browsing. Once a QR code is scanned, it automatically triggers the basic functions on the user's device. When a QR code containing a phone number is scanned, it prompts the user to call the number and similarly with an encoded Skype contact, it automatically launches Skype and makes a voice call to the Skype contact, provided that the user who scans the QR code has Skype installed.

3. Couponing and Loyalty Marketing: QR code coupon helps potential and existing customers capture discounts and marketing promotions easily using their mobile devices. There isn't a need for customers to print and cut out the coupons and stash them in boxes or wallets which might be lost or forgotten. Users just need to scan the QR code to save the encoded coupon image and data to their mobile devices, and show the image when doing their purchases to receive the discount. By eliminating the need to print and cut out the coupons, ease of sharing the coupons is another advantage of QR code coupon.

4. Display Information: It helps user obtain information that interests them by just scanning the image of the QR code. Information displayed from the QR code can be location maps, product information, images, demonstrations and reviews, restaurant menus, etc.

Security Concerns of QR Code

While we know that QR code has its advantages which brought about its popularity, there are several inherent risks or loopholes that are associated with it that users need to be aware of.
Phishing QR codes encoded with malicious URL are commonly used to direct users to a fake website that requires login details. As users try to login through the fake login page, he/she will unknowingly provide his/her login details to the attacker.
Fraud QR code used in advertisements, such as special offers, could contain hyperlinks to a malicious website which appears to look like the legitimate website (i.e. cloned). Victims who visit the malicious website might unknowingly provide their credit card details for future fraudulent use.
Malware Propagation User might click on a malicious URL encoded in a QR code to download a malware automatically. These malware may be capable of stealing sensitive information on the victim’s device without the victim’s knowledge.

Tips on Using QR Code

As QR codes become more prevalent, users will be tempted to try them out. To help us to safely use QR codes, let’s look at some tell-tale signs and security tips that we should take note of.

1 To make QR codes accessible, a common place to place it is on poster used for popular advertisements such as movies and contests. Since the notices are easy to spot and obtain, it is easy for an attacker to print and superimpose their own malicious QR codes on top of the legitimate QR codes. If the QR code looks like it was added on to marketing materials, do not scan it. In addition, do not scan QR codes in the form of stickers placed randomly in public places as it might be from scammers testing out his/her malicious QR code.
2 Use a QR code scanner that displays the content of the QR code before launching the associated program on your mobile devices. If the content is a URL, the scanner should display the URL, details of the website, provide you with the URL’s safety rating and the option to be redirected to the site by clicking on the URL. This gives you an opportunity to check for suspicious URL and thus, eliminates you from access malicious website.
3 If the QR code leads you to a website that request for your personal information, do not disclose anything until you have verified that the request is legitimate. You should access the website through a browser search instead of the QR code. When in doubt, do not click on any other links or enter any information. You might become the victim of a phishing operation if you input your login credentials after scanning a QR code.
4 Install a mobile security application with antivirus, antispyware and web filtering abilities to protect your mobile devices.