What is a QR Code?
A QR or a Quick response code is a machine-readable barcode matrix of black and white squares, usually used for storing URLs or other information for reading by the camera on a smartphone. This feature allows it to store a large amount of information (up to 4296 alphanumeric characters) as links and even trigger certain actions (to connect to a WLAN agent network, pay, or start a call). It is composed of three anchors indicating the three positions of the QR Code and the alternation of black and white squares that contain a system of headers and data as described in the ISO 18004 standard.
It was originally designed in 1994 by Masahiro Hara, an employee of Toyota, to simplify the traceability of automotive parts in the production lines of the Japanese firm. Its ability to obtain data quickly made it popular with the arrival of smartphones and since the Era of Corvid-19, has witnessed more popularity and has become a standard feature.
How is Hijacked?
Its greatest asset is also its greatest weakness. The speed that resides in its name is also huge a blow. The user doesn’t have the time to scan the link contained in the code, he is immediately redirected to the URL, even without the URL being displayed on the screen for the user to get a glimpse at it. it is, therefore, possible to exploit this weakness and couple it with human flaws through social engineering, to make a formidable phishing attack.
For example, imagine WhatsApp asking you to scan a QR code to confirm that you are the account holder. Once you scan it, you enter your password and username to confirm your identity. Then it’s already too late, what appeared to be an original verification has stolen your details. Indeed, the QR code sent in your email automatically redirects you to a fake phishing page, and lulled by the efficient QR code mechanism, you don’t even pay attention.
And it’s not over-trained hackers who can exploit these QR codes for malicious purposes.
How to prevent it
- Take your time to check the authenticity of the code
As we earlier pointed out, the greatest undoing of this QR code is the fact that it is fast enough to not afford the user much time to analyze the link it redirects it to. Take a few moments to analyze the content of the QR code. Prefer a reader application that shows you the target link before redirecting you and applying the verification, methods taught for classic phishing methods. If still in doubt, you can also check with a third-party tool or check with people in charge of the IT security at your company
- Check the authenticity of the QR codes
The origin of the QR code can reveal if the code is malicious or fraudulent. In the case of an email, Is It known? Is it genuine? Does he have a reason to contact you and ask you to perform an action? In the case of a physical QR code (printed on a document or stuck on a parking meter for example), check that this QR Code was originally present, that it does not cover an original one, or that it is well integrated into the rest of the document
- Go back to a known site
If in doubt when entering a confidential document, feel free to exit the current navigation page and return to the relevant site by manually typing in your usual access links manually
- Use a password manager
Beyond its interests in terms of password hygiene, a password manager will only be activated if you are browsing on a site you already know. For example, if you saved your Microsoft Teams credentials and it is offered to you on a Microsoft login page, you are not on an authenticated page.
- Train yourself to recognize phishing campaigns
Regularly informing your employees and conducting training campaigns can effectively reduce the risk of phishing attacks. The way your employees will remain alert to the new methods used by hackers against organizations.