A new report released today by phishing protection company SlashNext Inc. warns that an increasing number of cybercriminals are exploiting the widespread use of QR codes to launch sophisticated phishing attacks.

The report highlights the vulnerabilities and potential risks associated with the uninformed use of QR codes. The report also sheds light on the urgent need for heightened digital security awareness and protective measures around QR codes.

The proliferation of QR or Quick Response codes has been remarkable. Originally developed in 1994 by a Japanese automobile manufacturing firm to track parts, the modern take on barcodes has evolved into one of the most versatile tools in the modern era, driven by nearly universal smartphone adoption. From digital payments and restaurant menus to contactless ticketing and marketing campaigns, QR codes have seamlessly integrated into various parts of modern life.

However, the convenience of QR Codes has a catch: They can be and are being used for malicious purposes. Quishing —a portmanteau of “QR” and “phishing” — is now a thing, as the report warns that cybercriminals are embedding phishing links and malware downloads within QR codes.

Unsuspecting users, trusting the legitimacy of QR codes, can be redirected to malicious sites aimed at stealing sensitive data or tricked into inadvertently downloading malware onto their devices. Such threats have been accentuated since the COVID-19 pandemic, with cybercriminals exploiting the increasing reliance on contactless operations.

Another risk highlighted in the report is a more niche threat known as QRLJacking, for Quick Response Code Login Jacking. It involves attackers exploiting the “login with QR code” feature adopted by numerous apps and websites. A typical QRLJacking involves tricking a user into scanning a controlled QR code, leading to session hijacking.

The report concludes by noting how cybercriminals are shifting their attack methods, including their increasing predilection for leveraging QR codes as attack vectors. Cybercriminals are capitalizing on the trust users place in QR codes, along with a general lack of awareness about potential threats.

SlashNext advocates for a multitiered approach to mitigate the threats posed by malicious QR codes. First is the urgent need for education and awareness campaigns, ensuring users are cautious of QR codes, especially from unverified sources. Organizations are also advised to refine and update their security protocols by integrating protection tailored to scan and identify malevolent QR codes.

Timothy Morris, chief security advisor at cybersecurity and systems management company Tanium Inc., told SiliconANGLE that users should be extremely suspicious of QR codes that arrive via email.

“As we see with any phishing attempt, be suspicious of anything from unknown sources or that instills a sense of urgency,” he said. “Report it as a phish, delete it or ignore it. For enterprises, it is of the utmost importance to employ good email security, use web content filtering and provide user training.”

Image: DALL-E 3