cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2930
Views
15
Helpful
8
Comments

 

The Portuguese version of this Article can be found at: QR Codes Maliciosos.

 

MarceloMorais_0-1654436644727.png For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

 

QR Code

What is a QR Code ?

Created in 1994 by a Japanese Company that manufactures automotive components, the QR Code (Quick Response Code) is a Two-Dimensional Barcode (2D Barcode) that stores Data and can be "read" by a Camera.

As of 2017, Smartphones began to integrate QR Code Scanner features directly into their Software, eliminating the need for Third-Party Apps and facilitating its dissemination.

 

. The use of QR Codes gained great prominence in 2020, during the COVID-19 Pandemic, as a contactless way
to obtain important information.

 

What is a Dynamic QR Code ?

What makes a QR Code "dynamic" is that the URL encoded in it redirects to a second URL that can be changed on demand, even after a Code is printed. "Static" QR Codes cannot be changed in this way.

Dynamic QR Codes:

  • has a Short and Clean URL
  • take less time to Scan
  • can track Data such as: Number of Scans, Location and Time

 

. It is not possible to convert a Dynamic QR Code to a ("Static") QR Code or vice versa.

 

Static QR Code vs Dynamic QR Code

QR Code - Static x Dynamic 00.png

  

What is the Structure of a QR Code ?

The main structures of a QR Code are:

  • Positioning Patterns: the three large Squares at the corners of a QR Code help your Scanner locate and align the Code, even if it is tilted or at an odd angle.

Positioning Patterns.png

 

  • Timing Patterns: the lines of alternated Black and White Pixels between the Positioning Patterns help the Scanner measure the dimensions of the QR Code.

Timing Patterns.png

 

  • Alignment Patterns: these Small Squares on the grid help the Scanner read the Code accurately, even if it is on a curved or uneven surface.

Alignment Patterns.png

 

  • Data and Error Correction Keys: it is the Little Black and White Squares that actually store the Encoded Information.

Data and Error Correction Keys.png

 

  • Quiet Zone: a White Space that helps QR Code Scanners differentiate the Code from the Environment.

Quiet Zone.png

 

Example of a Custom QR Code Structure (ISE Deployment and Operation: Lessons from Large, Complex Environment ) :

QR Code - ISE Deployment and Operation.png

 

. 1D Barcode can store up to 85 Characters.
. QR Codes can store up to 4,296 Alphanumeric Characters or 7,089 Numeric Characters.
. QR Codes encode information in Binary Format (Black Square represents 1 and White Square represents 0).
. QR Codes can still be read if up to 30% of the Code is damaged (depending on the Error Correction Level used).
. QR Codes can be customized with Logos and Images.

 

What are the main uses of a QR Code ?

QR Codes can store different types of Data:

  • URLs - directing Users to a Website ou App
  • Text - displaying a Message or Instruction
  • Contact Information - sharing vCards to quickly save Contacts
  • Payments Links - facilitating Transactions with just a Scan

 

Security Issues

Cybercriminals can:

  • tamper legitimate QR Codes by replacing them completely (via QR Code stickers).
  • use a Social Engineering Attack known as Quishing.

 

What is Quishing ?

Quishing (QR Code Phishing) is a Cyber Threat in which Cybercriminals use QR Code to redirect Victims to Malicious Websites or induce them to Download harmful content !!!

 

. Phishing is a form of Cybercrime in which Cybercriminals attempt to obtain confidential information from you
via email with fraudulent links.
. According to data from Cisco Talos, around 60% of all emails containing a QR Code are SPAM.
. Most Anti-SPAM Filters are not designed to recognize / decode a QR Code present in an email.
. "QR Code Art" (artistic images mixed with a QR Code) make it even more difficult to detect both by the User and
by Anti-SPAM Filters.

 

Personal Devices vs Cybersecurity

"Many Corporate Computers & Devices have built-in Security Tools designed to detect Phishing and prevent Users from opening Malicious Links. However, when a Personal Device is introduced into the equation, these Tools are no longer effective."

"The 2023 Not (Cyber) Safe For Work Report, released by the Agency, describes that 97% of Respondents access Work Accounts on their Personal Devices and 95% use Personal Devices for Multifactor Authentication ..."

 

How to Prevent QR Code Attacks ?

The main ways to prevent QR Code Attacks are:

  • E-mail Security

As an example, I cite Cisco Secure Email , which has QR Code detection and analysis capabilities included in an e-mail (take a look at Cisco Secure Email Threat Defense Release Notes).

  • Security Awareness

The "Human Factor" is one of the Pillars of Information Security and Cyber ​​Security Awareness (education about digital risks and how to prevent them) is the "tool" to face this type of Cyber ​​Attack !!!

 

. October is celebrated worldwide as Cyber ​​Security Awareness Month.

 

Safe Practices

Recommended:

  • Check the QR Code sticker to ensure it is not pasted over an original
  • Check the Link redirected by the QR Code

On iPhone, with Safari as Default Browser, you can View e Copy the Link:

QR Code - iPhone.png

 

On Android you can select Read QR code, to View e Copy the Link:

QR Code - Android - 00.png

 QR Code - Android - 01.png

 

. Anti-Malware / AntiVirus Apps offer extra protection against Malicious QR Codes.

 

References

Cybercriminals Tampering with QR Codes to Steal Victim Funds - FBI 18/Jan/2022

QR Codes: A Growing Vulnerability to Cybercrimes. NCC 05/Jan/2023

QR Codes - What's the Real Risk ? - NCSC 08/Fev/2024

How are Attackers using QR Codes in Phishing E-mails and Lure Documents ? - Cisco Talos 14/Fev/2024

Malicious QR Codes: How big of a problem is it, really ? - Cisco Talos 20/Nov/2024

 

Comments
Sandro Nolasco
Level 1
Level 1

Tks for sharing

@Sandro Nolasco ... thanks !!!

Martin L
VIP
VIP

Thanks for sharig!

@Martin L ... thanks a lot !!!

Excellent explanation, so it shows with the creativity of criminals and helps us to make users aware

@Adonay dos Anjos ... thanks a lot !!!

Carlos Oriques
Level 1
Level 1

Great post, @Marcelo Morais! Thanks for sharing!

@Carlos Oriques ,

  I'm glad you liked it !!!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: