When Leonardo da Vinci completed his famed Mona Lisa painting during the Italian Renaissance in the early 1500s, it was almost to be expected that the artist would produce a masterpiece. Yet the painting, now resting in the Louvre Museum in Paris, became over time the object of considerable study that continues till today. The painting is said to contain numerous clues as to the identity of the subject, the countryside background, even the ideology, and vast knowledge of the sciences of the painter.
Yet da Vinci and other artists over the centuries have not been the only ones to embed messages in images. Many others have followed suit, to convey messages for various ends. And some, have used the medium to conceal messages intended to misguide, trick, and exploit unwitting viewers.
The QR or Quick Response Code is one such example.
What are QR codes?
QR codes are the descendants of the once popular bar codes that used to, and still populate many consumer products. The main difference between the two optical labels besides the amount of data that can be stored, is that bar codes store information horizontally while the latter can store information both horizontally and vertically. Information stored can vary from URLs, product details, contact information and the like. Invented in the nineties in Japan for production management in the automobile industry, the evolution of scanning devices and related apps has made the QR code – a seemingly innocuous maze of black and white squares – almost ubiquitous. Today they are used to direct users to URLs to access information, fill in forms / submit responses online, or effect payments and remittances for commercial transactions.
The bad picture
A QR Code is generated using a software called a QR Code Generator that allows users to create the two-dimensional matrix barcode, embedding information of their choice. Though they come in simple (static) or more advanced versions that can be modified or ones that require a password to access information contained in them, they all contain a set of random black-and-white squares. But while they are good to look at, they can be read only by an imaging device like a camera. This means that it is impossible to discern their genuineness merely by looking at them. Taking advantage of the possibility of embedding malicious links in the QR Code, scammers have been using them to exfiltrate personal information and trick users into effecting payments.
Understanding the scams
Many experts say part of the problem inherent in QR Codes can be traced to their proliferation in various areas of our digital world. QR Code Chimp (1) provides some interesting statistics on QR code usage, country-wise. A June 2021 survey showed that at least 45% of US citizens had scanned a code at least once in three months. Figures for China indicate that at least 50% of the population scan a code several times a week, with some up to 15 times in a single day. In India, where some 9 million commercial enterprises accept QR Code payments, the same month recorded a staggering 2.8 billion transactions totaling some INR 5 trillion. CSO Online (2) in a 2023 article reported that 83% of respondents admitted to using a QR code for a financial transaction in the past three months prior to the survey, yet almost to a man, they were ignorant as to the risks inherent in their action. Only 47% knew that scanning a QR code could open a URL and only 37% knew that it could download an application.
This proliferation may speak volumes for efforts directed at digitalizing payments to curb monetary malpractices, but they have also resulted in a misplaced trust on the part of users, intent on effecting ‘timely’ payments by unhesitatingly scanning QR Codes presented to them. Forbes presents an interesting view that articulates how QR Codes work on the part of the brain (4) that triggers a ‘fight or flight response’. Apparently this response overrules the frontal lobe of the brain that suggests that the individual adopt a rational approach when presented with a QR Code.
Mobile security experts also attribute the increase in scams to the unrestrained use of unprotected mobiles to connect with other devices, and with cloud-based applications, thus making them prime candidates for identity theft and credential compromise.
Quishing – the QR Code scam
Another in a long list of phishing scams, QR Code compromise for nefarious purposes is known as Quishing. It takes place in the form of illegitimate QR Codes on printed or electronic media. Recent times have witnessed a surge in email quishing, as opposed to quishing that takes place at commercial establishments. This is because emails arrive over the internet and are very often not easily verifiable, or are from unknown sources.
Quishing scams are cleverly designed, often compelling users to move from their desktop to a mobile device, which arguably has lesser quishing protections. Once the QR Code is clicked the user is directed to a malicious website that solicits payment or captures sensitive personal data. Sophisticated QR Code compromise can even result in spreading of mobile malware or stealing organization login credentials for future hacks.
The surge in quishing scams
The earliest cases of QR Code scams can be traced back to the last decade. The Covid-19 period however witnessed a spurt in scams, as a number of organizations turned digital in order to manage their payment gateways. The last few years however have witnessed an unprecedented increase in these scams, with some countries like India, experiencing an exponential surge in the face of increasing digital payment gateways.
Curbing the menace
The safeguards that need to be taken for quishing are quite similar to those needed to be taken for phishing (3). The list of measures that could contribute to curbing the menace include:
- Educating employees about quishing scams particularly those in business emails
- Following cybersecurity hygiene of using protected devices, particularly when accessing organization networks, and strong passwords
- No-scan rule for QR Codes received from unfamiliar sources
- Exercising caution by double-checking QR code credentials from even bonafide sources to eliminate the possibility of compromised codes
- Thinking twice and reacting calmly when processing QR Code-related information
- Steering clear of destination URLs that ask for personal information or lack the https safety setting
- Ascertaining that on physical media, the QR Code has not been pasted over surreptitiously
Final words
The Federal Trade Commission (FTC) has taken serious notice of the increase in quishing scams, issuing a warning about the ‘growing abuse’ of QR Codes on online and offline sources. As with most social engineering scams, the ball rests largely in the court of users to stave off threats. Still, it is heartening to note that organizations have stepped up business email security, and are invested in employee awareness and training. The sheer magnitude of the attack surface, however, precludes any immediate or definite solution. Perhaps the increasing concern of informed users – or worse still, a painful experience – will serve as a warning to users to exercise caution and discretion while responding to a QR Code.
The smile on the face of the Mona Lisa which continues to be an object of study in the art and science world, perhaps serves as a fine analogy of the QR Code situation. Look at her from straight up and she appears serious, unsmiling. Move your gaze and she seems to smile! But the high point of the painting – for us, analogy – is the ahead-of-its-time technique and clues on important areas connected with the work, that the artist has concealed in the masterpiece.
The only difference where QR Codes are concerned is that they are essayed by bad actors!
References
- QR Code Statistics for 2024: Usage, Trends, Forecasts, and More (qrcodechimp.com)
- How attackers exploit QR codes and how to mitigate the risk | CSO Online
- Social Engineering at Work – Aurora Systems Consulting Inc. (aurorait.com)
- How Phishing Attacks Use Human Evolution To Their Advantage (forbes.com)