QR codes are already part of our lives, especially since the Covid-19 pandemic requires us to keep a certain distance and avoid touching other people’s things. We use the QR to travel, to identify ourselves, to verify that we are vaccinated (such as the Covid Passport), to connect to a WiFi network or to read restaurant menus, among many other things.
But this technology is not without its insecurity. At the moment, recently Phishing cases have been discovered in Spain through the QR also known as Qrishing. The National Police of Spain detected a few days ago in Malaga a form of scam that is carried out through QR codes and whose objective is to obtain personal or bank data of the victims.
What we will see in this article is how it works and what we must know to avoid falling into these traps, with advice from expert security organizations.
How QR is used in phishing
First, let’s see what the police in Malaga discovered to understand how these phishing attacks work. A person scans a QR code and a website or an application appears where, supposedly, we have the information we need (for example, for a restaurant, to access a gym or to have specific information about a store). To the accessing that website or app may be a malicious link that tries to steal your information.
Anyway though the authorities have said Since these cases have been found, it has not specified which companies it has affected in particular or the number of victims who have fallen into the trap. What the Police have said is that, as always happens with phishing cases, one of the The main ways to avoid falling into the trap is not to access unknown links and, in this case, it includes not scanning unknown QR.
The INCIBE or National Institute of Cybersecurity has already spoken of the baptized as Qrishing (a combination between QR and phishing), and defines it as a technique that uses social engineering to get users to provide their credentials by scanning a QR code contained in a web page, message or email.
The user when scanning this code is redirected to a web page, which impersonates that of the company, where confidential information is requested. “You have to keep in mind that if the user does not verify the web address, they can be easily fooled“As they say from this body. Kaspersky, a security company, says that to prevent this from happening it is recommended to review the links before picnhar on them.
Another way to steal your data through Qrishing is by injecting malicious code (through an exploit present on the web page to which the QR code redirects) or a Drive by download attack. In other words, if you visit an infected or fake website, malicious software can be downloaded to your device, and from there it can collect data from you from your software (operating system, browser or other type). Also, already installed on your phone, it can perform actions, such as joining a botnet (for example, to carry out a DDOS attack against a legitimate website), filter confidential information or subscribe to premium services without the user knowing, to put some examples.
Another discovered phishing technique via QR is the one baptized as “Qrljacking or session hijacking”, a type of attack that is characterized by using social engineering to hijack the account of a service that accepts the “Login with QR code” function. To do this, they try to trick the victim into scanning a modified QR code that impersonates the original one that has been previously captured by cybercriminals. Upon scanning, the attacker captures the victim’s session credentials and covertly accesses the information contained in this account.
Do not forget that, in addition We can also have problems with the applications we download to read QR and this happened this year, with a great impact. Malwarebytes detected a Trojan in ‘Barcode Scanner’ a few months ago, a Most Installed Barcode Scanner Apps on Google Play Store (It had over 10 million installs at the time you discovered the scam.)
Some tips to avoid Qrishing or phishing through QR
As always happens with phishing and with any computer incident, the best way to avoid falling into traps is access websites, links, and apps that you trust and know about. If you have a business and offer a QR for any of your services (such as access to your product catalog), it is also your responsibility to “check frequently that the QR codes you use have not been changed or modified by third parties” and so on. keep your customers safe.
INCIBE also recommends that businesses “choose a QR code generator or a service that offers sufficient security guarantees regarding the generation of QR codes, correct link to the service, etc “and disable the automatic opening of links when scanning a QR code. In this way, users will be able to check the address to which the code links.
In addition, in the case of the use of QR codes that facilitate access to certain transport, leisure or reserved areas services, do not disclose the QR code through social networks as you could be the victim of fraud.
For its part, Kaspersky recommends that users in general never scan QR codes from suspicious sources and that, when accessing a link that gives us a code, be very careful if the URL is shortened, “because with the codes QR is not reason enough to shorten the links. ” If it happens that when scanning a code you get a short URL, The best thing you can do is use a search engine or go to the official store and go directly to what you are looking for.
Another suggestion is that you can do “a quick physical check before scanning a sign QR code or token to make sure the code is not pasted over the original image. “