Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 230: BE WARY OF QUICK RESPONSE (QR) CODE CYBER-ATTACK
Reference Number ACG-CSB 122721230
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
It is predicted that by 2022, over five billion QR codes will have been scanned or accessed by mobile devices. A Quick Response (QR) code is a type of barcode that can be read easily by a digital device and which stores information as a series of pixels in a square-shaped grid. It is an additional form of contactless communication that once scanned, either relays information or directs an individual to another online source, website or application. QR code adoption has increased with the contactless way of life that many of us have had to adjust to, especially during the worldwide pandemic.
QR codes are frequently seen on advertisements, travel tickets, legal and health documentation, as well as social media platforms like Facebook, WhatsApp and SnapChat. They have been used as an alternative to menus in restaurants and we can even use them to transfer money.
Once any of these QR codes are scanned, users are notified and prompted to go to an external webpage typically to enter some level of credentials or even personal information. While the use cases are plentiful, there are many security risks associated with QR code technology that can be exploited by hackers when deploying cyberattacks and online scams.
From an attacker’s perspective, QR codes present are perfect opportunity to target the masses without much effort. This shares many similarities with a phishing scam, which is the most popular attack vector for modern hackers. As mentioned, a QR code is a contactless method for a mobile device to read a URL. In terms of creating a malicious QR code, hackers need only to replicate the steps they take when manufacturing a phishing scheme. Phishing is the most common tactic used with QR codes and can be easily implemented.
Threat actor could easily manufacture a similar QR code to extract information including personally identifiable information. For instance, if a consumer was expecting to login and activate a service, cybercriminals could place a QR code within that site and redirect that user to a new website with security issues or even request the download of a malicious application. Furthermore, emails or SMS messages can contain malicious QR codes which will look to negatively impact the device. Hackers have been known to send fake tracking messages with QR codes when imitating real delivery services.
Due to the current global situation, many individuals are working remotely and turning their personal devices into work devices to stay productive outside the office environment. An individual or employee could unwittingly scan a malicious QR code, login using their credentials and allow a hacker to either collect the login details or install software that can spy or steal sensitive assets.
When scanning a code via a mobile device, users should check the URL link on the notification before continuing to click through. If it looks suspicious and does not sound like what expected, users can exercise that same level of caution they would as with email phishing and exit the application. Therefore, implementing a mobile threat defense needs to be enforced on all endpoints to protect users from interacting with malicious websites, apps, or networks.
The public are advised to follow these tips in order to understand the risks of Quick Response (QR) Code Cyber-Attack:
- Use network and endpoint security tools;
- Never scan a QR code from an unknown source;
- Use encryption to secure data in transit;
- Do not scan QR codes received via emails;
- Do not click on popups or malicious links;
- Use QR scanner software to view the URL before clicking on it; and
- Use a scam blocker or Web filter on your device to protect you against known scams
For additional information, please refer to the following websites:
POINT OF CONTACT