By Maria Sole Scollo, IT Security expert at Consortium GARR
With the introduction of digital COVID certificates, as a consequence to the spread of Covid-19, a technological tool that almost no one knew before (despite its almost 30 years of use) quickly spread: the QR code.
This sort of square-shaped matrix barcode allows you to store a lot of information (such as texts, URLs, graphic and multimedia content) and, thanks to the speed and ease of creation and use, it has quickly become an instrument of daily use for anyone with a smartphone (therefore for anyone).
By simply framing a Quick Response Code with the camera of your smartphone, it is in fact possible, for example, to view the menu of a restaurant or information on the works exhibited in a museum, but also to access your current account and make payments.
As we all know, however, the advent of new technologies always brings with it new benefits, even new risks.
This is the case with QRishing (QR code + phishing). It is a well-established scam technique (phishing) with a new look (the QR code).
With QRishing a user is tricked into scanning a malicious QR code created ad hoc (which therefore contains links to phishing sites but also allows you to download malware on your device).
QRishing is nothing more than an attempt to hook a distracted user through a seemingly harmless QR code. In fact, because these codes can contain so much information of such a different nature by masking them behind the image of a black and white square, it’s very simple to induce an inexperienced user to visit a counterfeit website (for example that of a bank) by simply scanning a QR code and to steal the login credentials. Also, through a QR code, it is also possible to download some malicious code on the smartphone of the victim (perhaps a ransomware), making believe that the app is absolutely harmless.
Unfortunately, even today we do not protect our smartphones enough, despite the fact that they store sensitive data, for example almost no one uses an antivirus (which instead is natural to do with your PC). The perception of the risk that we have learned (in part) to have with computers, struggles to be fully understood to smartphones, still called “mobile phones” despite having many other functions by now and with the arrival of the QR code, it is even more difficult to perceive the risk that can be hidden behind the simple and advantageous use of this tool.
The first rule in order not to fall into the trap, therefore, always remains to protect our devices with the same attention we reserve for the credit card or the house keys. Therefore both physical protection (the theft of a smartphone does not only correspond to the loss of an object of value, but above all it exposes the risk of spreading our personal data, putting even our identity at risk) and at the software level, through the use of security applications such as antivirus.
But an excellent lock is useless if we ourselves open the door to the thief… for this reason the second rule to follow to avoid falling into the trap is: trust is NOT good, control is much better.
In this specific case, the advice is to check the link to which the QR code refers BEFORE opening it and expanding it if it is a shortened URL. In the event that this is not possible, it is advisable to ask yourself how safe the source is where the QR code comes from and possibly avoid scanning it, for example if it’s on a flyer that advertises a discount not to be missed, in general what puts pressure on our sense of curiosity, greed, urgency, etc… should always alert us (just like email phishing). Let’s not forget to also carry out a physical check of a QR code if it is printed: in fact the original may have been physically replaced by a malicious one (perhaps glued on top).
There is an even more sophisticated technique that allows a hacker to steal access in real time from the victim, using an authentic QR code: QRLjacking.
This kind of scam is made possible by the QRL (Login with Quick Response code) feature, through which some services allow authentication to their portal. To do this, the hacker copies a real (dynamic) QR code from the site of the chosen service (eg. that of WhatsApp web, but also of a bank) and pastes it on a web page created ad hoc (phishing web site). He must therefore induce the unsuspecting user to enter his page, rather than the authentic one, and this is possible by sending phishing e-mails. When the user accesses the fake page, he authenticates through the real QR code (put as said by the hacker on the fake site). At this point the hacker is able to log in with the victim’s account, on the real portal of the service.
Even in this case, therefore, it is sufficient to put into practice the good habits of all time in order not to fall into the trap: do not click on links sent by e-mail and pay attention to the link of the site on which we are.
Returning to digital COVID certificates, thanks to which QR codes have become part of our daily life, it is worth emphasizing that security in this case concerns the protection of the personal data contained in it, therefore their sharing, especially via social networks is absolutely to be avoided to protect your privacy.
About the author
Maria Sole Scollo works as IT security expert at Consortium GARR. She has been part of GARR-CERT since 2002. She deals with the management of security incidents, user support and publication of security alerts, as well as training relating to cybersecurity issues. She’s also dedicated to the study and analysis of Cyber Intelligence sources for operational data protection.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022