Beware of malicious QR codes, they can hide anywhere!

Hackers are increasingly using QR codes to deceive Internet users. A hacker showed us some cool scenarios. It is better to know them so as not to be deceived.

Since the Covid crisis, they have been everywhere: on vaccine certificates, in bars and restaurants, on billboards, on soda or sparkling water bottles, and more. QR codes are now part of our daily lives and we use them almost mechanically, without asking ourselves a lot of questions. And yet, it’s a high -risk behavior, believes Len Noe, security researcher at publisher CyberArk. “QR codes should be treated the same as an email link from a stranger. Before they can be scanned, you must first clearly identify the site to which it is headed. If necessary, you must leave. the navigation »he explained to us, on a visit to Paris.

The way we use QR codes, he says, is a security change. “For years, we’ve been trying to educate people to stop clicking on anything, and the message is starting to come in. But with QR codes, it’s back in the square. During the last Super Bowl, for example, had a broadcast of an ad with only one QR code, with no other explanation.In one minute, 20 million people visited the underlying site, unknowingly- where are they going. It’s crazy! »he pointed out.

Hacker Len Noe is also a biohacker, with a magnetic probe stuck in his hand.

Hackers, of course, are already well known and have included QR codes in their arsenal. “QR code attacks are being done every day, all over the world. But we still have very little to say about it»the researcher explains, before mentioning a few examples:

  • In China, fake tickets with QR codes are placed in poorly parked cars. The QR code directs motorists to an online payment service… for the benefit of hackers;
  • In Texas, fake QR codes are stamped on parking meters that lead to a fake payment site (“Quick Way Parking”), with the goal of collecting bank card data;
  • In Germany, QR codes are embedded in emails purportedly from banking institutions and prompt recipients to log into their accounts. “For the pirate, the advantage of the QR code is that it is not checked by the antivirus engine, unlike a classic hyperlink”, points out Len Noe.

Through the demonstration, the researcher showed us three attacks performed in the laboratory, but encouraged by real cases. The first is simple: a QR code comes with a fake ad for a fake job board. The victim then found himself on a site urging him to provide a lot of personal information, which was sent via email to a hacker’s address.

The QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

The second, more sophisticated, relies on a fake restaurant menu site. If the victim connects to it, the attacker can – thanks to an open source penetration testing software called BeEF (Browser Exploitation Framework) – execute JavaScript code on the terminal. This allows it, for example, to collect information (geolocation, configuration data, SIM card data, etc.) and launch other attacks. For example by overlaying false connection interfaces.

The QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

The final scenario is the most complicated, but also the one with the most impact. Len Noe created a hacked version of the Covid certificate application. The QR code is used to take the victim to the fake Google Play site, where he can download the infected app. When installed, it allows the attacker to spy on his victim: access to SMS, access to microphone and camera, access to logs, and more.

The QR code attack scenario
QR Code Attack Scenario / Len Noe / CyberArk

In short, as we can see, QR codes are not as damaging to their appearance. As they are new, we don’t yet have the reflex to be wary enough of them. To avoid being deceived, it is necessary to verify the legitimacy of the hyperlink encoded in the QR code. In a restaurant, this can be complicated, as menus are often hosted by little-known third-party providers. “It is better, in this case, to directly consult the website of the restaurant to access the menu card. Or else ask for the paper version», advises Len Noe. In addition, he recommends never using a QR code to download an application or to make an electronic payment. You have been warned.



Leave a Comment