During the Super Bowl, Coinbase ran a 60 second Advertisement. This AD featured a color-changing QR code bouncing around the screen, imitating the iconic bouncing DVD logo. When scanned, users were directed to their promotional website. New users were offered $15.00 of free BTC when signing up and current users were entered into a $3 million raffle. This advertising technique has recently been a small controversy in the industry, as some purport it teaches users that it is okay to scan unknown QR codes.
Today, QR codes are used in a range of malicious attacks. They can be used for phishing attacks (also known as Qshing, Qishing, QRishing, or Qphishing) to steal user information, spreading malware in “drive-by downloads.” An attack in which visiting a site initiates a malicious software download. QR codes can also be used to connect to malicious networks, allowing attackers to view webpages, user credentials and payment information visited by the victim while connected. QR codes can also make monetary payment requests, so the attacker can collect payments from victims while pretending to be a reputable vendor. Other uses include adding unfamiliar contacts, initiating phone calls, composing emails, and sending text messages, and downloading apps.
Recently, there have been a few notable instances of real world QR attacks. In Austin, TX parking meters were defaced with stickers bearing malicious QR codes. The State Bank of India had told its customers to use caution when scanning QR codes for transactions. Going so far as to sending multiple Tweets to provide users with safety tips. Lastly, there has been an uptick in criminals using QR codes in malicious emails. This is because the QR codes can get around the content filtering protections put in place by email providers. Additionally, when users scan a QR code, they are now viewing the page on their phone which usually provide fewer protections.
Attacks using QR codes are fairly cheap and easy to make. For example, an attacker would use a typo-squatted domain. A typo-squatted domain is a URL that differs from the intended URL, usually with misspellings or differing domain endings, that do not belong to the person or business the victim intends to visit. These are commonly used in malicious attacks as a way to fool the victim into believing they are visiting the proper webpage. Using the typo-squatted URL, the attacker will then make a replica website that appears like the real website. This with either fool the victim into providing credentials (with a phishing attack), or continue browsing while a malware is operating in the background. Then, the attacker can go to one of many online tools available and generate a QR code for free. After generating the QR code, the attacker needs to place the code somewhere where other people will find it. This could be fake posters or signs, stickers, or replacing existing QR codes in legitimate spaces. Finally, when the victim scans the code with their phone, they will be directed to this malicious website. In our example, we see a JavaScript alert box displaying the traditional steps during a “drive-by download” that would be happening in the background while the webpage is loading. The victim, though, will see only the mock menu and proceed as normal.
When scanning QR codes, there are a few ways to avoid being scammed. Consider if the QR code is from and unknown or suspicious source. For example, if there is a QR code in places there are not usually QR codes, such as on a street. It is less-likely to notice places, like a poster in a restaurant bathroom. Also, avoid oddly places posters or signs. Do not scan QR codes received via email. As mentioned earlier, QR codes get around email content filters. Ensure the QR code has not been replaced, pasted, or stickered over. Always view the URL before clicking and check to ensure it is the URL you intend on visiting. Use the default camera option on your phone. Most devices, such as Samsung and Apple, have built in QR scanners with their cameras. Many of the third party scanners will follow a QR code without pause. While it seems convenient, it removes the ability to safely turn back from the page if you notice the link seems malicious.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments