Time flies with great content! Renew in to keep enjoying all our premium content.
Prime
How criminals use QR codes to launch attacks
In the age of enhanced tech capabilities such as Artificial Intelligence (AI), the techies foresee heightened aggression in the deployment of the attacks, noting that scams will become more targeted, more convincing and harder to spot.
As the cyber threats landscape continues to evolve and in the face of new tech-driven attacks, industry experts are now sounding the alarm over risks hidden behind scannable Quick Response (QR) codes.
The pundits at cybersecurity firm Kaspersky now say that the popular web access codes are increasingly becoming a convenient tool of exploitation by cybercriminals, who have already rolled out a variety of QR-based attack schemes.
QR codes are two-dimensional barcodes that can be scanned using smartphones to quickly access information, and they have in recent times grown to become a versatile tool for a range of purposes spanning marketing and advertising to tracking inventory and providing access to online content.
They are also widely used as a convenient pathway to opening websites, downloading apps, collecting loyalty programme points, making payments and even for charity donations, among a range of other uses.
According to Kaspersky, among the identified top security risks that users are running into when scanning QR codes include phishing and redirection to malicious sites, malware downloads, payment fraud as well as unsafe automatic connections.
But how exactly do threat actors engineer these QR-powered attacks?
According to Anthony Muiyuro, the East African regional director at global internet service provider Syntura, cybercriminals exploit QR codes by embedding malicious URLs or payloads that, once scanned, can lead users to phishing websites or trigger automatic downloads of malware.
“What makes these attacks so effective is the trust we inherently place in QR codes – they’re compact, widely used, and cannot be visually interpreted by the human eye. Most people scan without a second thought, and unlike clicking a suspicious link, there’s no immediate red flag,” says Mr Muiyuro.
“Furthermore, attackers often overlay fake QR codes on top of legitimate ones in public spaces, making the scam almost invisible to the naked eye,” he adds.
Noting that it’s not humanly possible to tell a safe QR code from a malicious one on the face value, Muiyuro recommends precautionary steps that can aid users in dodging associated risks.
Among these include previewing the links as modern smartphones now offer a preview of the URL before opening, establishing the legitimacy of the source of the code, using secure QR code scanners as they have an additional layer of threat detection for QR content, as well as avoiding random public QR codes.
These precautionary measures are reiterated by Leo Waweru, the security operations lead at Nairobi-based cybersecurity firm Adili Cyber, who further points out a range of cues to look out for to isolate fake from legit codes.
“You can tell a QR code is safe to scan if it has been shared by a trusted source or reputable organisation. Most QR codes that belong to an organisation contain official logos, colours, or branding of the organisation,” says Mr Waweru.
“A malicious QR code may be sent by unknown or suspicious emails or contain unsolicited/exaggerated offers. In physical spaces, they could be placed over original QR code stickers, they can look tampered with e.g. torn on the sides or they are irregularly aligned.”
The experts single out businesses in the e-commerce, hospitality, tourism, healthcare, finance, banking and fintech as well as event and ticketing sectors are the most exposed due to their frequent use of QR-based interactions.
As part of safeguard measures, organisations have been advised to deploy dynamic QR codes with tracking and expiry features as these can be monitored and disabled if suspicious activity is detected.
Mr Muiyuro further urges businesses to host QR content on verified domains that are under the organisation’s control, in addition to digitally watermarking or branding QR codes so as to make it harder for them to be spoofed or replaced.
On his part, Mr Waweru loads emphasis on regular physical audits at customer touchpoints for signs of tampering or substitution, while echoing the need for limiting the lifespan of a QR code to lessen the risk.
In the age of enhanced tech capabilities such as Artificial Intelligence (AI), the techies foresee heightened aggression in the deployment of the attacks, noting that scams will become more targeted, more convincing and harder to spot.
“AI-generated phishing pages can now closely mimic legitimate sites, making it harder for users to spot the difference. Deepfakes could also be used to create fake video messages from trusted figures urging people to scan QR codes for urgent action – from fake CEO requests to false public service announcements,” observes Muiyuro.
For Waweru, the increase in threats intensity will be drawn from attackers leveraging AI-powered tactics to change destination URLs in real-time, making detection and blacklisting difficult.
“In addition, AI has the power to tailor content to the victim’s language and location increasing credibility and attack success rates,” he notes.
But amid the looming risks, Mr Muiyuro prescribes the best defense mechanism as a combination of awareness, strong digital hygiene as well as secure-by-design systems from organisations.
