CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
A Quick Response (QR) code is a type of matrix bar code which can be easily read by an imaging device such as a smartphone camera. Cheap and easy to implement, it has become key to a wide range of applications, such as cashless transactions and providing quick access to websites. Amidst the current COVID-19 pandemic, Singapore has extensively deployed the SafeEntry QR code to perform contact tracing, which would be an everyday activity to most of us by now. The increasing prevalence of QR codes has, however, also provided additional avenues for cybercriminals to exploit. This issue of CyberSense highlights QR code-related cyber threats and why this seemingly innocuous and simple code can pose cybersecurity concerns.
HOW SECURE ARE QR CODES?
Security concerns about QR codes have long existed, but new malicious activity has also emerged recently as countries and firms turned to digital services and platforms in response to the COVID-19 pandemic. Threat actors have been observed to leverage QR codes for malicious purposes in various ways:
a. Counterfeit QR Codes.QR codes can be used to facilitate phishing and cybercrime. Given that it is almost impossible to visually identify malicious QR codes from legitimate ones, victims can be duped into scanning codes in phishing emails or messages, directing them to malicious websites or installing malware. Cybercriminals can also exploit the increasing usage of QR codes for payments, replacing merchants’ QR codes with their own fake payment URLs.
b. Quick Response Code Login Jacking (QRLjacking). QRLJacking is a social engineering attack where a threat actor hijacks applications relying on the Login in with QR code feature* to gain access into the user’s account or information. The implications for the Single Sign-On system (SSO)** are higher, as a successful compromise may allow the threat actors to gain access to multiple accounts.
*In a QR code-based login, users scan the QR code generated by the service they are trying to authenticate and gain access to, following which a client application, typically on mobile phones, will validate the identity.
**SSO allows a user to authenticate for multiple services with one single account.
The global rise in cashless payments will create more opportunities for scams in which financially motivated threat actors could focus on in the near future. Some high-profile cases where threat actors leveraged QR codes as part of their operations are as follows:
a. Aug 2020 – Researchers reported a phishing campaign targeting Banco do Brasil customers, via an e-mail masquerading as the bank. The e-mail listed out a set of instructions in a non-malicious PDF file containing a QR Code for account holders to update their account. The QR code, however, redirects the user to a phishing site, which harvested their credentials and at the same time, delivered malware into their devices.
b. Sep 2019 – QR code fraud has also affected the cryptocurrency markets. In this case, when the victim entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address which diverted the payment to the threat actor instead.
c. Jul 2019 – Two were arrested in the Netherlands after they used a QR code scam to rob dozens of people of tens of thousands of euros. The perpetrators asked individuals to help them pay their parking fee by scanning a QR code in exchange for cash, which instead transferred money out from their accounts.
Besides delivery through traditional means such as e-mail, malicious QR codes could easily be distributed via messaging and social media apps such as WhatsApp and Wechat, with the potential of going viral. For QR codes displayed in public, criminals can even print their own QR codes to paste over merchants’ payment codes; it was reported that some US$13M was lost in this manner to criminals in Guangdong, China back in 2017.
WHY SHOULD WE BE CONCERNED?
A survey of 2,100 consumers across the United States and United Kingdom found that mobile users do not understand the potential risks of QR codes, and nearly 71 percent of respondents cannot tell the difference between a legitimate and malicious QR code. Locally, results from CSA’s 2019 Cybersecurity Public Awareness Survey showed that only four percent of the 1,000 Singaporeans polled could identify all the phishing e-mails correctly. Less than half installed security applications in their mobile devices, while most of them continued to believe that they would not fall victim to cyber threats.
Although the cases cited above are generally isolated incidents, QR code-related threats may pose security concerns due to the following factors:
a. Ubiquity of cashless transactions. Singapore’s push for cashless transactions expands the attack surface for QR code-related threats. For example, under the Hawkers Go Digital initiative, stallholders are encouraged to adopt a unique Singapore Quick Response (SGQR) Code label at their stall. These QR codes are displayed publicly, and can easily be accessed or spoofed by scammers and cybercriminals.
b. Circumventing corporate security controls. Researchers have identified a novel tactic where victims receive an e-mail in their office accounts with a QR code, embedded with a SharePoint branded phishing site, to review a document. This scenario illustrates a tactic which lures corporate users from the protection of security controls under the corporate business network to their personal devices, which have much weaker protection.
To avoid falling victim to threats such as QRLJacking, organisations can consider implementing a confirmation message/notification to users displaying characteristic information about the session made by the client/server, and set a time limit (usually within three minutes) to complete each login session. Restricting authentication processes based on different networks and/or different locations will also reduce the attack surface. Companies should also consider deploying mobile threat defence solutions for devices with access to corporate apps and data. This will help detect and remediate mobile threats, which also includes malicious QR codes. Consumer vigilance is also key. Although payment providers utilising SGQR code have in-built security features into their apps to help detect and prevent fraud payments to fake merchants, consumers should still take safety measures to protect themselves.