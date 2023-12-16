Someone renamed it “quishing”, in a bad way pun between QR code and phishing. If linguistic etiquette is not exciting, the point is however very clear: le fraud perpetrated through the ubiquitous two-dimensional barcodes matrix through the most diverse channels. From those, classics, ofsending emails containing malicious QR codes to their physical use, with stickers placed for example near parking meters or overlapping with those, legitimate and perhaps used for payments, in many public places. Just think of restaurant menus, now largely dematerialized through the use of those black and white forms.

The warning from the US FTC

The latest alarm comes from none other than Federal Trade Commission statunitense which alerted public opinion to the you risk scanning old or unclear QR codes with an intervention on its official blog. As we said, bad guys of all kinds can place traps which, compared to traditional phishing relegated to the purely digital sphere, they have the advantage of being able to be printed or transformed into stickers and placed just about everywhere. Waiting for someone, sooner or later, to fall for it, framing a code with their camera and perhaps – convinced they are paying for the car parking or some other product – entering their credit card information. Or even just the access details to some service to be stolen and used at will.

John Fokkerwho directs threat intelligence at cybersecurity firm Trellix, explained to the New York Times that he had identified “60 thousand cases of QR code attacks” solo in the third quarter of this year. Among the most frequent cases emerge the email scams, e-mail that simulates the company you work for, fake couriers who ask to scan the code to reschedule a phantom delivery but also – as happened last year in Texas – malicious QR codes placed on parking meters and which, obviously, addressed people to a fake payment site.

The different attack techniques

Coming toItaliaa few weeks ago the email service provider Harmony Email released research in which it was said that the group had recorded a monstrous 587% increase in phishing scams via QR code between last August and September. According to Statista, in 2022 in the United States, approximately 89 million users scanned a QR code with their smartphone, an increase of 26% compared to 2020. The habit of scanning QR codes is expected to increase growing steadily and reaching over 100 million users in the United States by 2025.

Experts from the security company Barracuda have instead analyzed some examples of techniques used by cybercriminals. They range from link phishing, the tactic with which attackers insert QR codes into phishing messages that induce users to scan the code and thus visit a fake page, to downloading malware and even compromised devices. In the latter case, QR codes can also be used to access payment sites, follow social media accounts and even send pre-packaged emails from victims’ accounts. This means hackers can easily steal their identity and target other users among their contacts.

How to protect yourself from malicious QR codes

So how do we defend ourselves from the abuse of these two-dimensional codes, invented in Japan in the early 1990s? The FTC itself suggests – like what should be done with classic phishing – to ignore unexpected emails or other messages containing all sorts of urgent requests. And also It’s helpful to check the URL displayed on the screen during the scan to make sure it is a site you trust. On the other hand, even a legitimate QR code can show a confusing and meaningless shortened web address, so if you know which site you intend to visit, it’s best to link directly. Experts also recommend not using third-party apps to scan QR codes but using the Android and iOS cameras directly (and more simply). Maintaining a minimum of critical sense for QR codes that are found where we would not expect them to be: if alternative methods exist, perhaps it is better to use those.