The Quishing
Quishing, a contraction of “QR” and “phishing”, is a form of cyber attack that exploits the popularity of QR codes. Cybercriminals create fake QR codes that, when scanned by a smartphone, redirect the user to malicious websites or dangerous apps.
The QR codes
QR codes, the black and white squares that are ubiquitous in our daily lives, have radically transformed how we interact with the digital world. A simple scan is all it takes to access a wealth of information, from websites to apps, videos, events or products. This ease of use and accessibility quickly popularized them, but this same simplicity makes them a prime target for cybercriminals.
The risks involved: beyond the simple scan
While scanning a QR code may seem trivial, the risks that arise from it are multiple and can have significant consequences. Quishing, for example, is a commonly used technique. Cybercriminals create fake QR codes that, when scanned, redirect users to fake websites designed to steal their login credentials, credit card numbers, or other sensitive information. Imagine scanning a QR code on a poster advertising a free gift, and ending up on a site asking for your bank account details and password for an online account.
Malware is another major threat. By scanning a malicious QR code, you can unintentionally download spyware, viruses, or ransomware to your smartphone. This software can then be used to spy on your online activities, steal your personal data, or even encrypt your files and demand a ransom to unlock them.
SMS attacks, on the other hand, are more subtle but just as dangerous. Some QR codes can trigger premium SMS sending, charging large sums without your knowledge. You could receive an exorbitant phone bill for a simple scan.
Finally, the use of QR codes raises important privacy issues. By scanning a QR code, you leave a digital trail that can be used to identify you and track your movements. This allows companies to create detailed profiles of their customers, which raises legitimate concerns about the use of this data.
Do you think that quishing is a distant phenomenon that doesn't concern you?
Think again. Cybercriminals are becoming more inventive and do not hesitate to exploit technology to achieve their goals. Discover through these concrete examples how attacks as simple as scanning a QR code can have disastrous consequences.
The fake health pass – A pandemic of fraud
The health crisis linked to COVID-19 has disrupted our habits and given rise to new technologies, such as health passes. Unfortunately, cybercriminals were quick to seize this opportunity to carry out targeted attacks. Indeed, the need to present a health pass to access many places has created a context conducive to the emergence of fake QR codes.
These fraudulent QR codes, often distributed on social media or by email, perfectly imitated the originals. By scanning these codes, users were redirected to fake websites designed to look exactly like official platforms. On these sites, they were asked to enter their login details, social security numbers or bank details under the pretext of checking their eligibility for the health pass.
QR Codes on Public Transport – A Journey to Digital Hell
Public transport, a place of passage frequented by a variety of people, has become a privileged playground for cybercriminals. Indeed, advertising posters offering discounts or special offers accessible via a simple QR code scan are legion in metros, buses and trains. This practice, although convenient for users, has unfortunately been misused for malicious purposes.
Particularly resourceful cybercriminals have replaced these legitimate QR codes with their own, subtly modified creations. These fake codes, identical to the original to the naked eye, redirected users to deceptive websites. These sites, often designed to imitate the interfaces of transport companies, offered fake discounts or attractive competitions. The goal was simple: to trick victims into downloading malicious apps or entering their personal information.
Fake QR Codes in Restaurants – A Bitter Tasting Menu
The restaurant industry has widely adopted QR codes to make it easier to view menus and order online. This practice, while convenient for customers, has opened a new door for cybercriminals. Indeed, QR codes affixed to restaurant tables have become a prime target for attackers.
They quickly realized that by replacing official QR codes with their own creations, they could divert customers to fraudulent websites. These sites, designed to mimic restaurants’ online ordering interfaces, required users to enter their credit card information to complete their order. Of course, this information was directly transmitted to cybercriminals, who could then use it to make fraudulent purchases.
In these three examples,
cybercriminals exploited users’ trust by tricking them into scanning QR codes that appeared legitimate. The consequences for victims could be significant, ranging from identity theft to the infection of their devices.
Common points to these attacks:
- Urgency: Cybercriminals create a sense of urgency to trick victims into acting quickly (e.g., by offering a time-limited offer).
- Credibility: Fake QR codes are often associated with brands or organizations that are known to boost their legitimacy.
- Simplicity: Quishing attacks are relatively simple to implement, which is why they are popular among cybercriminals.
These examples illustrate the diversity of techniques used by cybercriminals and the importance of remaining vigilant against these threats.
Protecting yourself from the dangers of quishing
To reap the full benefits of QR codes while minimizing the risks, it is essential to adopt a few simple reflexes:
Be suspicious: Don’t scan a QR code if you don’t know where it leads or if you have any doubts about its legitimacy.
Check the URL: Before clicking on a link in a QR code, check the website address carefully. Make sure it matches the organization or brand you know.
Use trusted apps: Choose QR code scanning apps that are trusted and updated regularly.
Protect your smartphone: Install antivirus software on your smartphone and keep your operating system up to date.
Avoid public Wi-Fi networks: Public Wi-Fi networks are less secure and can make attacks easier. Prioritize private networks or mobile data when scanning QR codes.
The Future of QR Codes: Towards Enhanced Security
Despite the risks, QR codes have a bright future. New technologies, such as blockchain, offer solutions to enhance the security of QR codes. Blockchain makes it possible to create forgery-proof QR codes and trace their journey from creation to use. Businesses should also take responsibility for security and ensure that the QR codes they use are generated and hosted in a secure manner.
In conclusion,
QR codes are a powerful and versatile tool, but using them should be accompanied by some caution. By adopting the best practices, you will be able to safely enjoy the benefits they offer. Beyond blockchain, other technologies like asymmetric cryptography can be used to enhance the security of QR codes. Personal data protection regulations also apply to QR codes, and it’s important to know your rights as a user.
