Used everywhere, now even by hackers to evade antiphishing mechanisms and trap unwary users with bogus sites. Here’s how to defend yourself
Green Pass, local menus, business cards, vaccination certificates. Today more and more people are using i Qr code for quick access to information that can be easily reached thanks to an internet connection. This newfound popularity of the tool, however, could make it the new attack vector of choice for hackers and cybercriminals.
The alert comes, among others, from Innovery, an Italian multinational specialized in cybersecurity which, analyzing the evolution of the phishing attacks, identified this square code as a possible weapon in the hands of cybercriminals. According to data from the Cybersecurity & Data Protection Observatory of the Politecnico di Milano, thanks to the spread of smart working and remote work, 2020 was a year of major emergencies for the cybersecurity sector, with a 40% increase in cyber attacks towards companies compared to 2019.
This increase has led cybercriminals to find new solutions to get your hands on user data. Qr Codes are used in the most varied contexts: for accessing events and public places, for booking medical examinations, for collecting prescriptions, for electronic invoicing, to replace paper tickets and finally the same Green Pass. Precisely on the latter in the last week of June the Italian Privacy Guarantor has expressed himself recommending to anyone who has already received the QR code of do not share it on social networks to avoid identity theft, scams or annoying commercial profiling.
Thanks to the versatility and speed with which a series of information can be transmitted, the use of the QR code is particularly appreciated by users. in fact, according to the survey carried out by Innovery the 46% of respondents think they can feel confident to use it in the aforementioned contexts. The use of these codes, not surprisingly, went from 9% of the public in 2020 to 14% in 2021.
“The increase in the use of mobile devices to carry out many of our daily activities there exposes you to new risks, and the poor awareness about the possible threats they scan of a Qr code può vehicular, is an increasingly pressing concern”Explains Massimo Grandesso, Cybersecurity Manager of Innovery at Wired. “The QR code sent via email they manage to evade the normal antiphishing systems: the Winter, as this technique is called, it works exactly like clicking on a link, except that the link is not visible as it is encoded in the QR Code, and you should use the same precautions that are used for links”.
The scan of a malicious code can in fact automatically direct unwitting users to a url di phishing, where the user’s credentials are requested. Convinced that it is an authentic link – and often confused by a website graphic that faithfully reproduces that of the real counterpart – the user unaware of being the victim of a scam writes his credentials allowing the attackers to take control of your accounts email or social media. Scanning a malicious QR code could also lead users to a illegitimate app store, where you unknowingly download malicious apps containing ransomware, trojans or other types of malware that unknowingly installed on your device expose users to data theft, violation of privacy.
In the case of the Green Pass, as stated by the Privacy Guarantor, there is a risk of transferring very precious personal data such as the name, date and place of birth, the vaccine doses carried out but also any rapid, molecular swabs and all other medical information shared with doctors during the pre inoculation history. All this is information that can be used in targeted scams, commercial profiling or even to commit “identity theft” by committing cybercrime or scamming other unfortunates by borrowing the identity of another victim.
“As in the case of e-mail phishing, even in the face of this new type of attacks, which are not highly complex, the simplest and most immediate solution is to intervene on the human factor to mitigate the risks, raising awareness among employees and citizens in general through training courses and communication campaigns on new attack techniques that we can go against, ”he explains Massimo Grandesso a Wired. “There are many secure apps for QR code scanning that allow users to preview websites, plus it is always better to use reliable sources to download applications, such as Apple’s App Store or Google’s Play Store”, continues great.
Furthermore, QR codes are also used to carry out bitcoin transactions between users. In fact, it is enough to scan one to get a cryptocurrency transfer. By doing so, reports Innovery, in the month of March 2020 alone, using malicious scanning apps, 45 thousand dollars in bitcoin were stolen.
How to limit the risks in using Qr code?
As with phishing emails, special attention is required when scanning QR codes with corporate or private mobile devices, often less protected than the classic workstation. In these cases, the probability of landing on hostile sites or downloading malicious applications, capable of evading any infrastructure security system, is very high.
• Among the tips to limit the risks in using the QR code, the cybersecurity experts mention:
• Do not share Qr with your data unless necessary;
• Always avoid the automatic opening of a page from the QR code, first carefully view the url address on which it will land;
• Always make sure that the QR code comes from an accredited source, and, when dealing with printed codes, such as on a menu, make sure that they are the originals and have not been pasted over duplicates;
• If your device does not have an integrated QR reader, always remember to download qualified apps;
• Avoid scanning Qr code from social channels, or emails if not expected