The adoption of QR codes has been greatly boosted by the pandemic and the implementation of the health pass. This prevalence has sparked the interest of cybercriminals in using this technology to carry out malicious campaigns, including phishing. The risk is all the greater as there is currently no cyber protection system available to spot cyber attacks via QR codes.
Present in bars and restaurants, on advertising posters, or even on tickets for sporting and cultural events, QR codes seem to have a usefulness confined to end consumers. However, the line between professional and personal spheres has become very blurred. At work, for example, employees do not hesitate to use personal devices for professional purposes, and vice versa.
QR codes in the professional context, a new standard
Organizations, becoming more aware of cyber threats in recent years, have for many implemented multi-factor authentication (MFA), in particular via employees’ smartphones with identity verification by SMS or push message. Scanning QR codes is also sometimes required to access company car parks or to book a meeting room in coworking spaces. Personal devices have therefore become an entry point to the corporate IT environment.
Cybercriminals then attempt to compromise these personal smartphones to interfere with corporate infrastructure. It is indeed relatively simple to create a web page resembling a legitimate site, to associate a QR code printed on a sticker, and to affix the latter over the real QR code, for example.
Using this technique, it is possible to hijack the Office 365 login window allowing access to the system and to steal user credentials. This theft of identifier thus makes it possible to access any type of data.
Training and vigilance, the key tools against counterfeit QR codes
In reality, any site allowing users to log in with a Microsoft 365 ID is vulnerable and can be forged via a fraudulent QR code. Currently, there are no technological solutions to detect this type of fraud. To overcome these shortcomings, it is therefore necessary to turn to people: the cyber training of users must now include a section devoted to QR codes and associated good practices.
Security teams cannot block these malicious techniques, so employees are the only shield against the threat.
Indeed, malicious QR codes are a new mode of phishing, just like a hypertext link in an e-mail, with all the risks they may present. Therefore, one should not be scanned from an unknown or suspicious source; just as it is preferable to go directly to the associated website via a browser search. A good tip is also to check the link address of the scanned QR code, to make sure it is secure and authentic. By adopting good cyber hygiene, employees ensure that their device and, ultimately, their company’s data are not compromised.
Now, when employees’ personal devices are integrated into the corporate IT environment, such as smartphones, IT teams need to be mindful of the associated risks. It is essential to make employees aware, through cybersecurity training, of the fact that they must remain vigilant also outside their working hours. The idea that an average person cannot be the target of a cybercriminal is a dangerous prejudice. Anyone can indeed become a gateway to a larger computing environment, which means that every smartphone can be attacked.