• QR Code
• What is a QR Code ?
• What is a Dynamic QR Code ?
• Static QR Code vs Dynamic QR Code
• What is the Structure of a QR Code ?
• What are the main uses of a QR Code ?
• Security Issues
• What is Quishing ?
• Personal Devices vs Cybersecurity
• How to Prevent QR Code Attacks ?
• Safe Practices
• References

 

The Portuguese version of this Article can be found at: QR Codes Maliciosos.

 

For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

 

QR Code

What is a QR Code ?

Created in 1994 by a Japanese Company that manufactures automotive components, the QR Code (Quick Response Code) is a Two-Dimensional Barcode (2D Barcode) that stores Data and can be "read" by a Camera.

As of 2017, Smartphones began to integrate QR Code Scanner features directly into their Software, eliminating the need for Third-Party Apps and facilitating its dissemination.

 

. The use of QR Codes gained great prominence in 2020, during the COVID-19 Pandemic, as a contactless way
 to obtain important information.

 

What is a Dynamic QR Code ?

What makes a QR Code "dynamic" is that the URL encoded in it redirects to a second URL that can be changed on demand, even after a Code is printed. "Static" QR Codes cannot be changed in this way.

Dynamic QR Codes:

• has a Short and Clean URL
• take less time to Scan
• can track Data such as: Number of Scans, Location and Time

 

. It is not possible to convert a Dynamic QR Code to a ("Static") QR Code or vice versa.

 

Static QR Code vs Dynamic QR Code

  

What is the Structure of a QR Code ?

The main structures of a QR Code are:

• Positioning Patterns: the three large Squares at the corners of a QR Code help your Scanner locate and align the Code, even if it is tilted or at an odd angle.

 

• Timing Patterns: the lines of alternated Black and White Pixels between the Positioning Patterns help the Scanner measure the dimensions of the QR Code.

 

• Alignment Patterns: these Small Squares on the grid help the Scanner read the Code accurately, even if it is on a curved or uneven surface.

 

• Data and Error Correction Keys: it is the Little Black and White Squares that actually store the Encoded Information.

 

• Quiet Zone: a White Space that helps QR Code Scanners differentiate the Code from the Environment.

 

Example of a Custom QR Code Structure (ISE Deployment and Operation: Lessons from Large, Complex Environment ) :

 

. 1D Barcode can store up to 85 Characters.

. QR Codes can store up to 4,296 Alphanumeric Characters or 7,089 Numeric Characters.

. QR Codes encode information in Binary Format (Black Square represents 1 and White Square represents 0).

. QR Codes can still be read if up to 30% of the Code is damaged (depending on the Error Correction Level used).

. QR Codes can be customized with Logos and Images.

 

What are the main uses of a QR Code ?

QR Codes can store different types of Data:

• URLs - directing Users to a Website ou App
• Text - displaying a Message or Instruction
• Contact Information - sharing vCards to quickly save Contacts
• Payments Links - facilitating Transactions with just a Scan

 

Security Issues

Cybercriminals can:

• tamper legitimate QR Codes by replacing them completely (via QR Code stickers).
• use a Social Engineering Attack known as Quishing.

 

What is Quishing ?

Quishing (QR Code Phishing) is a Cyber Threat in which Cybercriminals use QR Code to redirect Victims to Malicious Websites or induce them to Download harmful content !!!

 

. Phishing is a form of Cybercrime in which Cybercriminals attempt to obtain confidential information from you
 via email with fraudulent links.

. According to data from Cisco Talos, around 60% of all emails containing a QR Code are SPAM.

. Most Anti-SPAM Filters are not designed to recognize / decode a QR Code present in an email.

. "QR Code Art" (artistic images mixed with a QR Code) make it even more difficult to detect both by the User and
 by Anti-SPAM Filters.

 

Personal Devices vs Cybersecurity

"Many Corporate Computers & Devices have built-in Security Tools designed to detect Phishing and prevent Users from opening Malicious Links. However, when a Personal Device is introduced into the equation, these Tools are no longer effective."

"The 2023 Not (Cyber) Safe For Work Report, released by the Agency, describes that 97% of Respondents access Work Accounts on their Personal Devices and 95% use Personal Devices for Multifactor Authentication ..."

 

How to Prevent QR Code Attacks ?

The main ways to prevent QR Code Attacks are:

• E-mail Security

As an example, I cite Cisco Secure Email , which has QR Code detection and analysis capabilities included in an e-mail (take a look at Cisco Secure Email Threat Defense Release Notes).

• Security Awareness

The "Human Factor" is one of the Pillars of Information Security and Cyber ​​Security Awareness (education about digital risks and how to prevent them) is the "tool" to face this type of Cyber ​​Attack !!!

 

. October is celebrated worldwide as Cyber ​​Security Awareness Month.

 

Safe Practices

Recommended:

• Check the QR Code sticker to ensure it is not pasted over an original
• Check the Link redirected by the QR Code

On iPhone, with Safari as Default Browser, you can View e Copy the Link:

 

On Android you can select Read QR code, to View e Copy the Link:

 

 

. Anti-Malware / AntiVirus Apps offer extra protection against Malicious QR Codes.

 

References

Cybercriminals Tampering with QR Codes to Steal Victim Funds - FBI 18/Jan/2022

QR Codes: A Growing Vulnerability to Cybercrimes. NCC 05/Jan/2023

QR Codes - What's the Real Risk ? - NCSC 08/Fev/2024

How are Attackers using QR Codes in Phishing E-mails and Lure Documents ? - Cisco Talos 14/Fev/2024

Malicious QR Codes: How big of a problem is it, really ? - Cisco Talos 20/Nov/2024