ISHPI

Did you know that this month’s topic is a “QR Code”?
ISHPI  CyberBytes Newsletter Vol. 2 Issue 8

Topic:

Did you know that this month’s topic is a “QR Code”? [I assume you do, as they are everywhere and was even used in last year’s Super Bowl advertising] Do you know what QR stands for? [I’m feeling like a game show host, waiting for you to buzz in with the correct answer,” I’ll take technology for 200 Rob”] It stands for Quick Response, like its cousin the bar code, it is there to enable technology and tools to be able to expedite the identification of a product, sharing of information, executing a command(s), or just taking you to a site.

Today, nearly every mobile phone’s camera can decode the QR Code and enable you to follow where it is taking you [Like, the restaurant menu at your favorite dinner spot].

I know what you are thinking, why are we doing this, what does the super helpful QR Code have to do with Cyber Security? Well, funny you should ask. You see, while you can quickly identify a QR Code, like this month’s Topic, we cannot easily interpret the QR Code. You do not know, by looking at it, what the topic’s QR code is going to do if you scan it. Herein is the issue, like everything else that has a great upside, the bad actors look for a way to exploit and use it for malicious ends. For example, a QR code could send you to a malicious website that attempts to harvest your personal information, like passwords or credit card numbers, or perhaps even try to install malware on your device.

QR codes can take additional steps, such as adding a contact to your contacts list or composing an email on your behalf. The QR code by itself is not the threat; however, the information or action it triggers can be. And it is REALLY easy to do: For example, let’s say you are in an airport, and there is a poster on a wall promoting a product that interests you. The poster has a QR code you can use to quickly get more information. What you don’t realize is that someone has covered the poster’s original QR code with a sticker of a different QR code. When you look at the poster you trust it, not realizing that the QR code on the poster has been replaced by a criminal. When you scan the QR code to learn more about the product, you are directed to a website controlled by the criminal to start an attack.

As a black-hat hacker, it is an easy creation of the QR code and printing them out and slapping them on things in public and sitting back and waiting. So, what to do 🤔? Well, again, like everything else, the onus is on us to verify before we trust and execute that QR code. Here are some steps you can take to reduce the odds of clicking a malicious QR code:

  • Be careful before trusting and scanning a QR code.
    • Ask yourself: Can I trust the source?
    • Do you trust the poster, paper, commercial, restaurant, or the website that is showing the QR code?
    • If someone left a handout on your car with a QR code, can you believe it
    • Look closely at the QR code, is it a part of the paper/poster or a sticker covering something?
  • Once you scan a QR code, most times your device will ask you if you want to act on the information, it reads before it does anything. For example, if the QR code is a link to a website, your device will ask you if you want to visit the site before going to it. Take time to review the call to action or the link itself and ensure you feel comfortable visiting it.
  • Confirm your mobile devices are always updated and running the latest version of its operating system. This ensures that it has the latest security features. The easiest way to do this is to enable automatic updates on your device.
  • If a website requires you to download a specialized QR scanning app, it is most likely counterfeit or fake.
  • Think twice before providing confidential or personal information to any website that you reached via a publicly visible QR code.

Newsletter by Rob Collings, ISHPI’s VP of Cybersecurity | CISO 

October 1, 2024