Beware of malicious QR codes, they can hide anywhere!

Hackers are increasingly using QR codes to trick Internet users. A hacker showed us some scary scenarios. It is better to know them so as not to be fooled.

Since the Covid crisis, they have been everywhere: on vaccine certificates, in bars and restaurants, on billboards, on sodas or sparkling water bottles, etc. QR codes are now a part of our daily lives and we use them almost mechanically, without asking ourselves too many questions. And yet it is a high-risk behavior, says Len Noe, security researcher at the publisher CyberArk. “QR codes should be treated in the same way as a link in the email from a stranger. Before scanning it, it will first be necessary to clearly identify the place to which it leads. If necessary, leave the navigation »he explains to us, during a visit to Paris.

The way we use QR codes is, he says, a decline in security. “For years, we’ve been trying to educate people to stop clicking on something, and the message is starting to get through. But with QR codes, it’s back to square one. During the last Super Bowl, for example, there was the broadcast of an ad with only a QR code, without any other explanation. Within a minute, 20 million people visited the underlying site without knowing where they were going. It is brittle ! »he points out.

The hacker Len Noe is also a biohacker, with a magnetic probe implanted in his hand.

Of course, hackers are already well aware and have incorporated QR codes into their arsenal. “QR code attacks are carried out every day around the world. But we still talk very little about it”explains the researcher before mentioning a few examples:

  • In China, fake tickets with QR codes have been placed on poorly parked cars. The QR code led motorists to an online payment service … for the benefit of hackers;
  • In Texas, fake QR codes have been attached to parking meters leading to a fake payment site (“Quick Way Parking”) for the purpose of collecting bank card data;
  • In Germany, QR codes have been embedded in emails that apparently come from banks asking recipients to log in to their accounts. “For the pirate, the advantage of the QR code is that it is not analyzed by the antivirus engine, as opposed to a classic hyperlink,” Len Noe specifies.

As a demonstration, the researcher showed us three attacks carried out in the laboratory, but inspired by real cases. The first is pretty simple: A QR code accompanies a fake ad for a fake job board. The victim is then on a website that encourages him to provide a large amount of personal information, which is sent via email to an address of the hacker.

QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

The other, more sophisticated, relies on a fake restaurant menu page. Once the victim connects to it, the attacker – thanks to an open source penetration testing software called BeEF (Browser Exploitation Framework) – can execute JavaScript code on the terminal. This allows it, for example, to collect information (geolocation, configuration data, SIM card data, etc.) and launch other attacks. For example, by overlaying false connection interfaces.

QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

The last scenario is the most complex, but also the one with the greatest effect. Len Noe has created a hacked version of a Covid certificate application. The QR code is used to lead the victim to a fake Google Play page from which he will download the infected app. Once installed, it allows the attacker to spy on his victim: access to SMS, access to the microphone and camera, access to logs, etc.

QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

In short, as we can see, QR codes are not as harmless as they seem. Since they are relatively new, we do not yet have the reflex to be sufficiently vigilant towards them. To avoid being fooled, it is imperative to verify the legitimacy of the hyperlink encoded in a QR code. In a restaurant, this can be complicated as the menus are often hosted by little known third party providers. “In this case, it is preferable to consult the restaurant’s website directly to access the menu. Or ask for the paper version », advises Len Something. In addition, he never recommends using a QR code to download an application or to make an electronic payment. You have been warned.



Leave a Comment