- Almost three-quarters of Americans (73%) scan QR codes without verification, and more than 26 million have already been directed to malicious sites, according to NordVPN.
- The FTC warned earlier this year about scanning QR codes on unexpected packages.
- New York City s Department of Transportation issued a warning that scammers are posting QR codes on parking meters that are not legitimate payment links.
Once upon a time, QR codes were a unique curiosity that made for an entertaining phone scan. In the past, you may have scanned a QR code on a museum display to discover more about Genghis Khan’s military tactics or the woolly mammoth’s diet. QR codes took over as the standard menu item in restaurants during the pandemic. However, hackers have taken advantage of QR codes’ widespread use as they have become a standard in more pressing facets of American society, such as parking payments and airline cards.
With NBC 7, you can watch San Diego News for free, anywhere, at any time.
“Qur codes, like many technological advancements that begin with noble intentions, are increasingly being used maliciously. They are both helpful and hazardous because they are found in everything from yard signs and gas pumps to television ads, according to Dustin Brewer, senior director of proactive cybersecurity services at BlueVoyant.
According to Brewer, attackers use these ostensibly innocuous icons to fool victims into accessing malicious websites or unintentionally disclosing personal information—a practice known as “quishing.”
With our News Headlines email, you can receive the best local San Diego stories every morning.
The Federal Trade Commission issued a warning earlier this year regarding unexpected or undesired packages that contain a QR code that, when scanned, “could take you to a phishing website that steals your personal information, like credit card numbers or usernames and passwords” due to the growing frequency of QR code scams. Additionally, it can infect your phone with malware and grant hackers access to it.
This summer, state and local cautions have been issued throughout the United States, with Hawaii Electric and the New York Department of Transportation cautioning consumers about avoiding QR code scams.
The relative simplicity of the scam—apply a phony QR code sticker to a parking meter or a utility bill payment notification and rely on hurry to do the rest—makes it appealing to cybercriminals.
Money Report
Superman,’ F1′ both cross $500 million at the global box office
Marvel’s Fantastic Four: First Steps’ opens to $118 million domestically
According to Gaurav Sharma, a professor in the University of Rochester’s department of electrical and computer engineering, “the crooks are relying on you being in a hurry and you need to do something.”
On the rise as traditional phishing fails
As the use of QR codes grows, Sharma anticipates an increase in QR scams. More security measures have been implemented to curb traditional email phishing efforts, which is another reason why criminals are using QR codes more frequently. According to a study conducted this year by cybersecurity company KeepNet Labs, 26% of dangerous links are now distributed through QR codes. 73% of Americans scan QR codes without verifying them, and over 26 million have already been redirected to dangerous websites, according to cybersecurity firm NordVPN.
“The cat and mouse game of security will continue and that people will figure out solutions and the crooks will either figure out a way around or look at other places where the grass is greener,” Sharma stated.
In an effort to stop scams, Sharma is creating a “smart” QR code known as an SDMQR (Self-Authenticating Dual-Modulated QR) with integrated security. However, he must first gain support from Google and Microsoft, the businesses who manufacture the cameras and manage the camera infrastructure. Businesses adding their logos on QR codes isn’t a solution because it can give the impression that something is secure, and crooks can usually just duplicate the logos, he said.
The growing use of QR codes has some Americans on edge.
Denise Joyal, of Cedar Rapids, Iowa, stated, “I’m in my 60s and don’t like using QR codes,” “Security concerns are a real concern of mine. When there is no other means to connect and a QR code is required to participate in a campaign, I truly dislike it. I don’t use them to find information for amusement purposes.
Additionally, organizations are working to make their QR codes more secure.
The Children’s Museum of Indianapolis, which has over a million visitors annually, said its IT staff started updating its QR codes a few years ago to guard against the growing threat, according to spokeswoman Natalie Piggush.
“Instead of using the typical monochromatic QR codes, we at the museum utilize styled codes that feature our emblem and colors. Additionally, we describe what users might anticipate seeing when they scan one of our QR codes, and we routinely check our current QR codes for signs of tampering or inappropriate codes,” Piggush stated.
Because scammers aim to steal money from people who are expecting to pay for something, museums are typically less vulnerable than locations like train stations or parking lots. While it is less likely that a museum visitor will expect to pay, Sharma noted that fraudulent QR codes can still be used to infect a phone with malware.
Apple, Android user trust is an issue
According to a study conducted earlier this year by Malwarebytes, QR code frauds are likely to affect both Apple and Android devices, but iPhone owners may be marginally more susceptible to the crime. Researchers claim that because iPhone users showed greater faith in their gadgets than Android users, they may become less vigilant. For instance, compared to 63% of Android users, 70% of iPhone users have scanned a QR code to start or finish a purchase.
According to David Ruiz, a researcher at Malwarebytes, trust may have the unintended consequence of making iPhone users less inclined to utilize additional cybersecurity tools, such as antivirus software, and less inclined to modify their online buying habits. Fifty-five percent of iPhone owners believe their gadget will protect them, compared to 50 percent of Android users.
Low investment, high return hacking tactic
Because users can’t usually read or validate the encoded site address, a QR code is more risky than a conventional phishing email. Although human-readable language is typically included in QR codes, attackers can alter this content to trick users into believing the link and the website it leads to. The greatest defense against them is to avoid scanning unexpected or unwelcome QR codes and to search for ones that, when scanned, reveal the URL address.
According to Brewer, fraudsters have also been using QR codes to get access to vital networks.
“There are also credible reports that nation-state intelligence agencies have used QR codes to compromise messaging accounts of military personnel, sometimes using software like Signal that is also open to consumers,” Brewer stated. Nation-state attackers have even distributed remote access trojans (RATs), a kind of malware that allows hackers to fully access targeted devices and networks without the owner’s knowledge or agreement, using QR codes.
However, one of the most perilous features of QR codes is their pervasiveness in daily life, which makes them a cyberthreat that goes undetected.
“The ease with which authentic flyers, posters, billboards, or official papers can be compromised is particularly worrisome. According to Brewer, attackers may easily print their own QR code and apply it digitally or physically over a legitimate one, making it practically impossible for the typical user to recognize the scam.
“Qur QR code compromise is just another tactic in a long line of similar strategies in the cybercriminal playbook,” says Rob Lee, chief of research, AI, and emerging threats at the cybersecurity training-focused SANS Institute.
“QR codes weren’t built with security in mind, they were built to make life easier, which also makes them perfect for scammers,” Lee stated. “This playbook, which we have previously seen in phishing emails, now only has a pixelated square with a smiley on it. Although it’s not yet cause for alarm, attackers prefer to scale this type of low-effort, high-return strategy.
Also on CNBC
-
AI is radically changing entry-level jobs, but not eliminating them
-
If AI attempts to take over world, don’t count on ‘kill switch’ to save humanity
-
Taiwan Semi is speeding up U.S. chip production due to demand, CEO says
