Updated: January 30, 2015
These now-familiar square images you see in ads, magazines and posters have proved to be the easiest and cheapest way to link the real and the virtual worlds. All you have to do is take a picture of a QR code with your smartphone camera and you can follow a link to information on a website, save a contact’s telephone number or download an application. Marketing specialists love the technology for its sheer simplicity, but so do cybercriminals. Therefore, you need to be very careful when pointing your device’s camera at a QR code.
A QR code (QR being short for quick response) can contain all sorts of text information and/or links to online resources. QR codes have been popular for quite some time in Asia, and are now gaining popularity in Europe and the Americas. They can be seen everywhere: on billboards, goods exhibited in stores, on websites, various types of tickets and coupons…the list goes on and on. At the same time, scams involving QR codes are also gaining in popularity. There are many cases of malicious QR codes being neatly placed over legitimate ones. This practice, with similarities to phishing, has come to be known as QRishing.
It doesn’t take much stretch of the imagination to see just how dangerous a QR code could be when displayed in a public place: in the subway, at an airport, a train station, or in a bank, for instance on an ATM. Most people will implicitly trust adverts, and would never imagine such a threat could be lurking in the building of a major bank.
When a user takes a photo of a QR code, the link it stores is first displayed on the device’s screen; however, cybercriminals also use URL shortening services (such as bit.ly and others) to disguise the ultimate address stored in the QR code which may lead to a page with malware that steals the user’s credentials or to a phishing site.
The situation is further complicated by the fact that a mobile browser may not always be capable of displaying the complete URL of the opened page, which is a real handicap when trying to spot a scam. To make matters worse, mobile devices are often not as well protected from malware.
To reduce this type of threat, follow three simple recommendations:
- Be careful. Before scanning a QR code, make sure it is not covering another code. If in doubt, do no scan.
- After opening an app store or a website in your browser, make sure that the QR code has taken you to the place you expected to go. If you are about to install an application, make sure it was developed by the company whose ad or info you saw. Check to see the application’s rating and/or customer feedback. If there are very few or none at all, it’s best to postpone the installation. If a code leads to a website, check the complete URL; otherwise, you may fall victim to a phishing scam. Extra caution is advised before entering your personal data or credentials, including email or e-banking data.
- If your smartphone allows the installation of security applications that check sites for malicious content and downloaded software for malware, make sure you install such an application. This is especially appropriate for Android smartphones, which are now targeted by thousands of malware programs.
As of end of January, 2015, there is a new and convenient way to avoid malicious links in QR codes – the Kaspersky QR Scanner app. The application, designed both for iOS and Android devices, offers a powerful bundle of scanning and security features.
It functions just as many other QR scanning tools, but employs a smart enhancement: it instantly checks all the links detected in the QR code and notifies the user should there be any threat before redirecting him to the web link.