Hackers are increasingly using QR codes to trick Internet users. A hacker showed us some spine-chilling scenarios. It is better to know them so as not to be fooled.
Since the Covid crisis, they have been everywhere: on vaccine certificates, in bars and restaurants, on billboards, on soda or sparkling water bottles, etc. QR codes are now part of our daily lives and we use them almost mechanically, without asking ourselves too many questions. And yet, it is a high-risk behavior, believes Len Noe, security researcher at the publisher CyberArk. “QR codes should be treated the same as a link in the email from a stranger. Before scanning it, it would first be necessary to clearly identify the site to which it leads. If necessary, you must abandon the navigation »he explains to us, during a visit to Paris.
The way we use QR codes is, he says, a regression in security. “For years, we’ve been trying to educate people to stop clicking on anything, and the message is starting to carry. But with QR codes, it’s back to square one. During the last Super Bowl, for example, there was the broadcast of an advertisement with only a QR code, without any other explanation. Within a minute, 20 million people visited the underlying site, not knowing where they were going. That’s crazy ! »he points out.
Hackers, of course, are already well aware and have incorporated QR codes into their arsenal. “QR code attacks are carried out every day, all over the world. But we still talk about it very little »explains the researcher, before citing a few examples:
- In China, fake tickets with QR codes have been placed on poorly parked cars. The QR code directed motorists to an online payment service… for the benefit of hackers;
- In Texas, fake QR codes have been stuck on parking meters that lead to a fake payment site (“Quick Way Parking”), with the aim of collecting bank card data;
- In Germany, QR codes have been embedded in emails that ostensibly come from banking institutions and prompt recipients to log into their accounts. “For the pirate, the advantage of the QR code is that it is not analyzed by the antivirus engine, unlike a classic hyperlink”, specifies Len Noe.
By way of demonstration, the researcher showed us three attacks carried out in the laboratory, but inspired by real cases. The first is quite simple: a QR code accompanies a fake advertisement for a fake job site. The victim then finds himself on a site that encourages him to give a large amount of personal information, which is sent by email to an address of the hacker.
The last scenario is the most complex, but also the one with the most impact. Len Noe created a hacked version of a Covid certificate app. The QR code is used to take the victim to a fake Google Play site, from where they will download the infected app. Once installed, it allows the attacker to spy on his victim: access to SMS, access to the microphone and the camera, access to logs, etc.
In short, as we can see, QR codes are not as harmless as they seem. As they are relatively new, we do not yet have the reflex to be sufficiently wary of them. To avoid being tricked, it is essential to verify the legitimacy of the hyperlink encoded in a QR code. In a restaurant, this can be complicated, as the menus are often hosted by little-known third-party providers. “In this case, it is preferable to consult the restaurant’s website directly to access the menu card. Or else ask for the paper version »advises Len Noe. In addition, he recommends never using a QR code to download an application or to make an electronic payment. You have been warned.