It is almost impossible to go through your day without setting your eyes on a QR code printed on products in the supermarket, tickets you get on the bus, posters on the wall and everywhere on the internet. The QR code in the last decade, have become popular due to the ubiquitous ownership of smart phones and the use of QR codes by marketers for advertisements. The use of the QR code technology has become part of our everyday lives woven into various digital activities to provide access to information.

A QR code can be described as a physical hyperlink that can provide encoded information when scanned by a smart phone or a QR code scanner. A QR code or Quick Response code is a two-dimensional matrix barcode developed by the company Denso Wave in 1994. It was invented to keep inventory of automobile parts from Denso Waves parent company Toyota in the chain of production. It can hold large amount of information represented by numeric, alphabetic, kanji, kana characters, including symbol binaries and control codes.

A very common use case of the application of QR codes is by marketers who encode website links in QR codes and paste them on posters, business cards, billboards etc. This approach makes it easy for a smart phone user to scan the QR code and access the website in not more than a click or two. Other examples of information that could be advertised to users are an email address, phone number, long piece of text, geo-location etc. The evolution of the QR code has seen the invention of different types and versions of the QR code to suit sophisticated needs. The need for QR codes to be printed in smaller physical sizes to be placed on micro products brought about the Micro QR code.The Micro QR code can be of a width of 2 modules (A module is the smallest element either black or white) on a QR code and still be viable. The largest version of the Micro QR code is M4 (17x17 modules) holding up to 35 numbers.

A Secure QR Code (SQRC) has an information security function that restricts reading of private data. SQRC can be used for distributing private, confidential information to authorised people. Frame QR is a QR code with a “canvas area” where images, logos or letters can be inserted. Frame QR can be used for promotion and authenticity judgement codes etc. These and other QR code types exist to serve several purposes. However, there are security issues that undermine the trust of the use of QR codes to access web resources. A more worrying issue is most people are unaware of these security issues or threats and do not have any idea of how to protect themselves in their use of QR codes against social engineering and phishing attacks. QR codes can be used by attackers as an attack vector leading to several forms of attack targeting the users themselves, the user’s device or the back-end systems that try to serve the request generated from the QR code scan. Even though the QR code was designed to be machine readable only, a proof-of-concept phishing attack using QR codes as attack vectors show how the content of QR code can be changed just by turning white modules (pixels) to black and vice versa. Unsuspecting users who cannot distinguish between a valid and maliciously altered QR code may be redirected to malicious websites to generate traffic or directed to a website designed to steal user information or download a malware unto the user’s device. Social engineering attacks that involve manipulating a target to click on an unknown link now make use of QR codes instead of malicious links. This is because the QR code is effective at completely masking the details of the link prior to scanning the QR code. Humans cannot tell the difference between a malicious QR code and a non-malicious one. The QR code used by social engineers as an attack vector generates a working QR code that directs or redirects people to an attack vector, which in most cases is a malicious website. This makes the QR code a viable tool for the cyber-criminal. The QR code as an attack vector is listed as 8th in the social engineer kit When a user scans a QR code in the wild without performing a security check on the QR code, the user can be at risk of being exposed to a malware. An attacker can simply encode into a QR code, a malicious URL containing custom malware. Some of these websites forcefully download malware onto your device immediately you visit the website. It does not require any action or button click to trigger a download. A malware can be a virus, worm, trojan horse, rootkits, ransomware, keyloggers, adware etc. Depending on what malware is being used, the attacker can ex-filtrate personal data and system information from the user’s device, listen to communications or keystrokes from the device or perform a denial of service.

An example of an attack in Russia involved a malicious QR code that sent an SMS to a premium number that cost $5 just by scanning the QR code. The attacker may also direct the user to a phishing site where the user may reveal login credentials like passwords and pins. This is very dangerous because the attacker may use QR phishing to gain access to your company’s confidential information. If the user uses the same login credentials that have been compromised for other websites, company accounts or bank accounts. The attacker may use software that crawls the internet for other sites with that user’s login credentials. Depending on the goal of the attacker, the ripple effect of scanning a malicious QR code can be very detrimental. Social engineering attacks build on these attacks, more specific attacks like spear phishing, zero days, ransom-wares and the like. Just by leaving a poster of a QR Code on the parking lot of the university (instead of the traditional attack with an USB drive) offering discount in a nearby restaurant is a new attack vector which is very likely to be successful.

Very few articles and research papers try to create some awareness on QR security and warn people to take safety precautions when scanning QR codes. Many users either are not aware or ignore some security warnings that can help with safeguarding against cyber-attacks. Here are some pre-scan security tips are useful in pointing out malicious codes and protecting yourself online: · Users should check for https in the URL when scanning a QR code. For example, the URL pointed should be https://www.amazon.com/xxx the user can then tell the URL is a secure URL. HTTPS is a more secure version of HTTP that uses SSL/TLS protocols for authentication and encryption. Authentication means that the server’s certificate has been signed by a publicly approved certificate authority (CA). CAs validate the domain and organisation (business or individual) before issuing a digital certificate (SSL.com Support Team 2021). · Users should not fill any personal information or payment forms that are presented when the scan a QR code. This could be a phishing attack to get access to information from the user. The user should check and make sure the site they are on is a legitimate site before proceeding to share any information. · QR codes on posters in the wild should have the URL link on the poster so that users can confirm they are the actual site.

Thank you for reading. Watch out for Part 2.