Hacking with QR codes – Techzine.nl

In the contactless era, QR codes have emerged from relative obscurity to replace almost everything from restaurant menus and shopping vouchers to ads, business cards and payment links. And, of course, governments have come in to make it easier to control vaccination status.

QR codes were first invented in 1994 by a car company to track car parts, but their ease of use and increased storage capacity – up to 2,500 characters compared to the 43 characters in a barcode – quickly made them popular in other industries. But it was only after COVID-19 that QR codes really took off. QR codes are available, easy to produce and will last forever. They are also a perfect way for cybercriminals to steal personal information and potentially gain access to corporate networks.

Rising risks QR codes

Many consumers have become more cautious in their digital activities (due to the pandemic and digitalisation). Emails, phone calls and text messages are closely monitored, forcing many attackers to make their phishing attempts more cunning. Still, QR codes are not seen as potentially dangerous, and most people still scan them without thinking about it.

In January 2022, the FBI warned that cyber-attackers were tampering with legitimate QR codes to redirect victims to malicious websites where credentials and financial information were stolen. Within weeks of the warning, more than 20 million people scanned a single mysterious QR code in an advertisement for an unpublished company during this year’s biggest football match in a minute.

All alarm bells will then go off with ethical hackers. In three attack simulations I will show why.

QR Code Attack 1: The neat position

I made a fake flyer for an imaginary job market, just like you see them on job boards in local coffee shops. The ad contains the details of the event and a legit-like QR code that directs the user to a job site where they can already scroll through the job openings and apply immediately. It is quick and easy to fill in the required personal information, but it is unclear how exactly the information goes. In this case to me.

Core of the story: How often do you fill out an online form or a survey – whether it was via a QR code or another link in an ad? It is very difficult to know where the data ends up at the end of the day. So proceed very carefully.

Figure 1: False ad with malicious QR code

Figure 2: QR code leads to a fake career page

Figure 3: Applicant’s personal data arrives in a cyber – attacker’s inbox

QR Code Attack 2: Vaccination Certificate or Phone Pickup?

For an attacker, the ultimate goal is the ability to interact directly with an endpoint such as a smartphone. This can be done through a reverse shell attack or a connect-back shell that exploits the target system’s vulnerabilities to start a shell session and access the victim’s device. In this example, I use the MetaSploit Meterpreter Shell to falsify the actual Covid vaccination application in use. By scanning a QR code, the victim goes to what appears to be the Google Play Store and installs the app. Except it’s not Google Play. After the user starts the installation, the hacker now has a reverse connection to the device.

With this type of initial access, the attacker may even be able to control continuous access that comes and goes as they please to do everything from dumping call and text logs to taking pictures with the camera. In other words, they can do everything that can be done with the phone. Daunting? Absolutely. Easy to implement? Yes.

Image 4: Fake COVID certificate app

Figure 5: The attacker makes a reverse connection

QR Code Attack 3: QR Code Phishing Attack

A QR code on the table in a restaurant leads to the menu, right? So just scan. But if the same QR code is in an email from someone you do not know, then we are suddenly more on guard? Attackers assume it is not that bad and they are often right. Here is a comparison of two QR codes side by side. Look for the differences.

One leads to a restaurant menu, the other has a completely different destination. As I have done here, attackers can clone a legitimate login QR code and turn it into a phishing website that looks almost identical to the real one – except that the URL is different. When the victim scans the QR code, it is forwarded to the attacker’s web server, which runs a malicious website that uses the BeeF package, a handy set of tools that allow the attacker to take control of the victim’s device. The attacker now has a choice between multiple attack vectors and several ways to retrieve user data, such as current GPS location, device type, SIM card information, and other sensitive information.

With some additional social engineering tricks, the attacker can go even further. By using spear phishing on the device, they can forge password management on the device. After the victim enters their username and password, the attacker can access the entire user’s password box.

Picture 6: Two QR codes

Figure 7: Fake menu and phishing site

Figure 8: A forged password holder on the device asks for the victim’s username and password

7 tips to protect against QR code attacks

Last autumn, the private key used to sign the EU’s Green Pass vaccination passport was allegedly leaked or forged. Within days, fake passports with QR codes and the stolen key were for sale on the dark web. In China, fraudsters have been caught sending fake parking fines on parked cars – complete with QR codes for easy mobile payment of fines. In the Netherlands, a QR code scam used a legitimate feature of a mobile banking application to defraud the bank’s customers, while fake QR code emails in Germany lure eBanking customers to malicious websites under the guise of checking for updates. the privacy policy of their accounts. And in Texas, criminals have taken to the streets to put stickers with malicious QR codes on parking meters and trick residents into entering credit card information on a fake phishing site.

Attacks with QR codes occur everywhere and with increasing frequency. Here are seven tips to protect yourself:

1. Do not scan! If something does not feel right, do not scan the QR code. Just go directly to the actual website. Any legitimate QR code must have an associated URL below it, allowing users to navigate directly to it. If it’s missing, be careful. This is also a tip for businesses: just put a URL under the code.

2. Do a background check. Before scanning a QR code, check: Do I know who put the QR code there? Do I trust that it has not been tampered with? Does it make sense to use a QR code in this situation?

3. Examine QR code URLs carefully. After scanning the QR code, check that the URL matches the target and the organization associated with it. Does it look suspicious, or does it contain strange spelling or typing errors? For example, part of the URL used was “passportlab.xyz” in Texas parking meter scams – clearly not an official city government website. A quick web search on the URL can confirm whether a QR code is legitimate.

4. Beware of physical manipulation. This is especially important in places where QR codes are commonly used, such as restaurants. If a QR code is inserted over another code, be very skeptical.

5. Never download apps via QR codes. Attackers can easily clone and forge websites. Always go to the official app stores and download apps from there.

6. Do not make electronic payments via QR codes. Use the original app or send a browser to the official domain and log in there.

Enable multi-factor authentication (MFA). This helps protect sensitive accounts such as banking, email and social media apps. With a different layer of authentication, a cybercriminal can access data much less quickly.

Len Noe is a technical evangelist and white hat hacker at CyberArk. He is an international security speaker, among other things about his research in biohacking, for which he also had various sensors implanted. His latest research focuses on the risks of QR codes.

Leave a Comment