Get a free application, infrastructure and malware scan report - Scan Your Website Now

Hackers Tampering with QR Codes To Steal Money – FBI Warns!!

Posted DateSeptember 20, 2022
Posted Time 4   min Read

“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes.” – FBI warns about malicious QR Codes

From making contactless payments on mobile payment apps and viewing paperless menus to contact tracing Covid-19 cases, QR (Quick Response) codes are everywhere and in popular usage. This ubiquity and convenience have also made QR codes popular and lucrative targets for cybercriminals who leverage malicious QR codes to illegally gain access to confidential information, spread malware, or steal money.

With QR code exploits rising, businesses and users must protect themselves against malicious QR codes.

How Do Cybercriminals Use Malicious QR Codes? 

QR codes, functioning similarly to barcodes, are square configurations of black and white squares contained within a larger square to store encoded data. QR codes are easier to scan and read than barcodes. QR codes can be read using a smartphone camera, provide quick and easy access to a website, direct payment to a recipient, prompt to download an app, link to a PDF file, and so on.

QR codes, by themselves, are secure and cannot be directly attacked. However, it is extremely easy for attackers to generate their malicious QR codes. They could tamper with digital and physical codes to replace legitimate ones with malicious QR codes. They could tamper with the pixelated dots using online tools so that an average user may not notice the difference in the code.

Attackers can also embed a malicious link containing malware into a QR code. So, when the unsuspecting victim scans the QR code, it automatically downloads and activates malware in their device. Or the malicious QR code may redirect them to a phishing website where the attacker may coax the user into doing their bidding.

Types of Threats that Leverage Malicious QR Codes 

  • Replacing legitimate codes in public spaces or unattended codes in shops with malicious codes
  • Quishing or QR-code-based phishing attacks 
  • QRL-jacking or QR-based-clickjacking attacks
  • Email-based QR code phishing attacks

What Can Organizations Do to Protect Against Malicious QR Codes? 

qr code protection

Secure All Devices with a Robust Security Solution 

With the rise of remote working and BYOD, employees often use personal devices and smartphones to access corporate networks and resources. So, suppose an employee were to download malware or share login credentials on a fake website after scanning a malicious QR code. In that case, you are leaving your corporate resources open to attacks.

To avert this, you need to ensure all devices, including BYOD, are protected with a robust, intelligent, multi-layered, and fully managed security solution like AppTrana. Such a solution regularly scans, detects, and stops advanced malware and other complex attacks. They can further tune the solution to block unauthorized downloads, repetitive login requests, and other activities.

Leverage Content Filtering 

Most QR code attacks redirect users to malicious websites or make them download malicious attachments/ files. For effective QR code protection, you must leverage a security solution that can inspect links and attachments and block access to those containing malware or suspicious content.

Implement Multifactor Authentication 

Often, attackers use malicious QR codes to get unsuspecting victims to share passwords and login credentials. By implementing multifactor authentication, you can reduce the reliance on passwords alone for protection and thwart a wide range of attacks that exploit stolen passwords and login credentials.

Enforce Strong Access Controls 

By implementing robust, role-based access control policies, you can minimize the extent of damage attackers can cause after stealing login credentials.

Other Important Measures for QR Code Protection 

  • Keep all devices updated
  • Segment and create separate containers for BYOT devices
  • Keep educating users who need to understand how to use QR codes safely

What Organizations Should Do for Point of Use/Sale QR Code Protection? 

Customize QR Code

Brands should incorporate their unique branding elements into QR code design and templates so that it matches your landing page. Also, include a custom brand domain or company domain name in your QR code, if possible. This increases user confidence in using the QR code. Partner with certified, secure, and compliant QR code solution providers in customizing and creating QR codes.

Use EV SSL 

Making sure your website linked to the QR code is strongly encrypted and has visible signs of SSL protection as provided by an EV SSL certificate inspires user trust and confidence. They know that they aren’t being fooled by an attacker impersonating your brand.

What Can Users and Customers Do? 

  1. Scan QR codes only from trusted sources. If unsure, it is better to type the link rather than scan the code.
  2. Verify the URL upon opening it
    • Inspect the domain name
    • Check for browser warning in the address bar
    • Verify the SSL certificate to ensure the website belongs to a legal entity

The Way Forward 

Protecting against QR code attacks should not be just a customer/ user prerogative; organizations need to be responsible for protection against malicious QR codes. After all, it helps protect your corporate resources, brand image, and user trust.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn

Protect Your Web Apps & APIS - Start Free Trial

Indusface
Indusface

Indusface is a leading application security SaaS company that secures critical Web, Mobile, and API applications of 5000+ global customers using its award-winning fully managed platform that integrates web application scanner, web application firewall, DDoS & BOT Mitigation, CDN, and threat intelligence engine.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Website Security
5 Website Security Tips to Secure Your Website from Hackers

Website security tips are essential to prevent hackers from getting the best of your data, content, or server. Learn here.

Read More
Vulnerability vs Malware What Is The Difference
Vulnerability Vs Malware: What’s The Difference?

In this article, we will help you to understand the difference between vulnerability vs malware and how to protect your web applications against these.

Read More
Site Hacked
Is My Site Hacked?

Data breach? Privilege misuse? Stolen money? Do you really think that your web application has never been breached? Here are the ways to find out.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!