QR code phishing or quishing has evolved to become even more dangerous.
As reported by Silicon Angle, threat actors are now embedding malicious JavaScript payloads in QR codes which causes them to execute as soon as they're scanned. To make matters worse, targeted users don’t even have to click the URL link that pops up for their devices to be hijacked.
This is different from traditional QR code threats which redirect users to malicious websites when they click on the link that appears after scanning.
Instead, this new method embeds raw HTML and JavaScript into the QR codes using data uniform resource identifiers. This means the payloads can execute entirely within a browser, where they can then take over login pages, act as a keylogger and instantly launch exploits.
Once active, the malicious JavaScript can also exfiltrate data using hidden forms and fingerprint devices. Even more concerning, these malicious QR codes can evade most security programs, tools and systems because the payload is built into the code itself so it doesn’t come into contact with any external URLs when executed. Likewise, INKY's report on the matter adds that threat actors are already using these new phishing methods to hide dangerous malware and evade detection.
How to stay safe from malicious QR codes
It should go without saying but we’ll say it again: Don’t scan unknown QR codes. Ever. If it’s an unknown or unsolicited source, don’t scan it.
If you receive an email or a text that asks you to scan a QR code in order to complete an action or activity, especially if there is a sense of urgency attached, contact the sender directly and through a known phone number, chat channel or company contact – not by replying to the email or text that sent the request. Verify that they need you to scan the code independently.
Never ever provide login information or other sensitive personal details after scanning a QR code unless you are absolutely certain that the website you’re on is legitimate. Check the URL carefully, even if it looks fine.
At the same time, you also want to disable the feature that automatically opens your browser in your mobile operating system or QR code scanner app. This will keep your scanner from opening links before you get a chance to check them first. You also want to make sure that you use a QR scanner that shows you the URL before opening it.
As with any phishing threat, be extremely wary and suspicious of any message (email, text, social media) that contains a sense of urgency or a threat. Anything that includes a threat that your account will be disabled, that legal action will be taken, a suspension will be put into place, that there is an unauthorized log in, or that you have to act now, should be treated as a potential attack.
If you receive a suspicious email with a QR code, report it to your IT or security team at work but if one shows up on your personal account, you can always report it as spam or potential phishing.
Given how popular QR codes have become and how people have gotten really comfortable scanning them at restaurants and in other public places, I don't think this threat will disappear anytime soon. Hopefully Google and Apple are both working on implementing ways to keep Android and iPhone users safe from malicious QR codes.
More from Tom's Guide
- Hackers are still trying to break into my accounts 12 years later — how I managed to stop them
- These three TP-Link routers are being targeted by hackers – here’s what to know
- If you’re a Gmail user it’s time to implement these critical security steps
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
