Yet another new term for us today – QRishing. This form of Phishing is initiated using QR codes. QR codes are those square images with an array of black and white codes we see in newspapers, magazines, brochures, posters, etc., scanning which – we are redirected to a website, can save contacts or open applications. Typically a QR code stores a URL and other related information. Its use has increased, and it is being used for almost everything including transactions on payment gateways and storing crucial medical data.
Security concerns with QR codes
Many applications using QR codes do not specifically display the URL of the target action, especially while using payment gateways. When attempting to open sites, it would usually display the hyperlink, but hackers and cyber-criminals use URL shorteners to hide the final link. Moreover, the URL displayed upon scanning a QR code by a mobile device might not be displayed completely on the mobile browser.
What are QRishing scams?
QRishing translates into Phishing with the involvement of QR codes. Security concerns about QRishing were raised first years ago but were not as much of a problem as they are now. As QRishing attacks start becoming common, research by Carnegie Mellon University, the first of its kind, titled The Susceptibility of Smartphone Users to QR Code Phishing Attacks has been conducted to find the extent of the problem and possible vulnerabilities.
Just like Phishing attacks through emails, curiosity is what cybercriminals use for making users scan malicious QR codes. Email phishing has been a known security concern for quite some time, because of which all major web servers have developed measures to counter it. The same doesn’t seem to be true with QRishing which is less known, less investigated and almost totally unstoppable.
To add on to this, mobile browsers, whether iPhones, or Android phones, do not employ the same safe browsing techniques that desktop browsers are, like comparing URLs to a blacklist, or actions like ‘click one more button’, etc.
How is QRishing done and with what purpose?
QRishing uses socially engineered bait to make potential victims scan the code. The following methods have been used for the same:
- Pasting a transparent sheath malicious QR code on top of a genuine QR code: This was first observed in banks where people would be very confident of scanning the QR code and must be in use elsewhere as well. The reason for believing in the authenticity of the code is the location it has been placed. Eg. If a user is standing inside a reputed bank or a government office, there are high chances to trust any QR code on the premises because of the trust in the brand. In such a situation, cyber-criminals paste a transparent sheath of the malicious QR code above the genuine one.
- Changing the company details above the QR code: To deceive the users into believing they would be scanning a genuine QR code, the hacker would use the QR code on a poster mentioning a genuine brand. Eg. A banner, pamphlet, or poster on the street mentioning a reputed bank would ask users to scan the QR code on it. The QR code would, in turn, be a phishing attempt that the victim might not be able to recognize.
- Using QR codes as a discount voucher: People love discounts, and cyber-criminals know that very well. Using QR codes to lead to a discount voucher for leading online brands like Amazon is used a lot for QRishing. Rather, a report on QR security issues shows that users are much more likely to open QR codes that offer discounts.
The purpose of such attacks could range from stealing personal information to clickbait to monetary fraud. In a known case of QRishing, a college student redirected a QR code to his Twitter account only to get more views on it. He shortened the URL so it could not be recognized.
A very dangerous thing cybercriminals do is change the QR codes on payment gateways, which are scanned to make payments. By the time the details of the recipient are disclosed, the payment is already made.
While most of us are aware of email phishing and would think twice before sharing our credentials on a suspicious page, we receive through email, the same is not true with QR codes. If a user is directed to a QRishing page asking for his/her credentials, the user might not be able to suspect the scam and give away the credentials.
How to protect yourself from QRishing scams
Some basic steps you should take:
- Beware of sheaths on QR codes: The worst kind of QRishing attacks are done by pasting a transparent sheath of a malicious QR code on a genuine one. A careful look could help find it out.
- Do not open shortened URLs: Ideally, it is advised to check a shortened URL by expanding it using some tools. But that isn’t always possible when using a mobile browser. Rather the URL’s shown by QR codes on a mobile browser are usually not complete. It is better to avoid opening them.
- Be careful before entering your credentials: One should always enter credentials on a secure site, the web address of which starts with ‘https://’. Never do it with random links you are directed to through QR codes.
- Install security applications on your mobile device: Mobile browsers haven’t applied blacklisting and other security measures like desktop browsers yet. Unlike desktop browsers which prompt for unsecured sites asking if the user wants to enter, mobile browsers usually do not verify the same. However, certain security applications could help with the same.
- Avoid QR codes: Despite QR codes being one of the most comfortable options, it is better to avoid their use till enough research is done to make them safe and secure for public use.
The real reason behind QRishing being such a serious concern is that we, the people, are not prepared for it. Since it is a new term, little research has been done to counter it. While enough awareness has been spread about email phishing, people still tend to trust QR codes.