Nearly 90 million smartphone users in the U.S. alone have used QR codes on their mobile devices. By 2025, that number is projected to grow to 100 million. As people have become more comfortable using QR codes, threat actors have begun using them to find yet another way to steal credentials and access sensitive information.
Cybercriminals have become sophisticated in how they target businesses. The same AI tools that are being used to help employees are being used by threat actors to scale attacks. This includes creating malicious QR codes to steal sensitive information.
Here are some of the risks of QR codes and how you can fortify your cybersecurity posture against QR code attacks.
Cybersecurity Risks of QR Codes
Your business may be exposed to risks in various ways. A cell phone cyber attack can uncover:
Tracked Online Activity
QR codes can direct users to a specific URL, allowing threat actors to monitor browsing behavior, such as the pages visited and time spent on each page. This tracking may seem harmless, but when combined with other data, it can lead to targeted attacks or data breaches.
Collected Data
QR codes can be designed to collect data from users, such as IP addresses, geographic locations, and information entered into forms on a landing page, such as login credentials. Threat actors can use malicious QR codes for data collection leading to unauthorized access to sensitive information, identity theft, social engineering attack types, or further phishing attempts.
Unauthorized Access to Financial Data
QR codes pose a particularly dangerous risk when they are used to gain access to financial data. For example, QR codes in emails or text messages might prompt users to log into their bank accounts or make payments. If the QR code directs the user to a fake site, the attacker can harvest bank login credentials or credit card info and take over accounts.
Attack Vectors
Some of the more common attack vectors include:
- QR code cloning: Attackers create fake codes that look identical to legitimate ones, leading users to malicious websites.
- Phishing attacks: QR codes are used to direct users to fake websites that mimic legitimate login pages, capturing credentials for identity theft or fraud.
- Public network attacks: Scanning QR codes on unsecured public Wi-Fi networks can allow attackers to intercept sensitive data transmitted between devices.
- Scanning malware attacks: Some QR codes trigger the download of malicious software, giving attackers remote access to sensitive information on the device.
- QRLjacking: Some organizations enable users to log in using quick response code logins (QRLs) to bypass password authentication. When malicious QRLs are scanned, devices are compromised.
QR Code Security Awareness Training
Conducting a cybersecurity test at your organization can help mitigate risk. Cybersecurity testing puts employees through the paces, simulating a social engineering attack targeting users' mobile device synchronization for corporate email access via QR codes.
How the Test Works
Mitnick Security Awareness Training educates employees about the potential risks associated with QR codes, showing them how to recognize dangers and improve security for email and mobile devices. A simulated attack demonstrates how easy it is to fall victim to a breach and how important it is to verify the authenticity of requests before acting.
The cybersecurity test follows this process:
1. Launch Email With a QR Code
Employees are sent an electronic message that contains a unique QR code along with guidance on how to sync their smartphones or tablets with their company email.
2. Scan QR Code
Employees will proceed to scan the QR code using their mobile phones, assuming it to be a standard procedure for synchronization.
3. Redirect to “Malicious” Server
Upon scanning the QR code, users are redirected without realizing they are not connecting to a legitimate company server.
4. Harvest Credentials
After inputting their information, browsing session cookies will be intercepted and “stolen” by the Mitnick Security training team, giving them unauthorized access to sensitive information.
5. Confirm Credential Input
Following credential submission, users are redirected to a false confirmation page. This page will assure users that mobile email access has been enabled and make them feel comfortable they have taken the right action.
6. Hijack the Browsing Session
After stealing the victim's credentials and session cookies, “attackers” can use this information to restore the victim's session in their own browser. This enables the attacker to effectively hijack the victim's browsing session without them knowing.
Cybersecurity Testing Helps Mitigate QR Attacks
QR codes are a convenient way to access information, but they can also create significant risk. While most employees have been trained to recognize email phishing attempts, cybercriminals are now exploiting QR codes as another attack vector.
Mitnick Security’s cybersecurity testing specifically for QR code attacks can help protect your employees and organization. By taking proactive steps, such as conducting a cybersecurity test, you can reduce your risk and improve your overall cybersecurity posture. Connect with our team today to learn more about Security Awareness Training from Mitnick Security
