By Jarren Ringle
You see them everywhere. They are flashed on your TV during an advertisement. They are in the magazines you get. They are on cereal boxes and pop cans. They are Quick Response codes or QR codes.
The QR code example in the image above I created. Scanning it with your smartphone camera will open your web browser to the Google website. It’s simple to use and, in this case, it is safe. However, what would happen if, instead of the Google website, it took you to a malicious website? Any number of bad things could happen, and as you can imagine, that is what’s happening.
Essentially, there are now three possible outcomes when you use your smartphone to “scan” a QR code. Your smartphone camera will look for a QR code. When it finds it, a frame will appear around the code. This is where things happen.
The best outcome is that your web browser will open a legitimate and safe website. You’ll then be able to get a discount, see a menu, register a new device, unlock a streaming service, etc. That’s what QR codes were built to do. They were intended to make your use of your smartphone more efficient and easier.
Well, as you can imagine, someone realized that they could make a QR code that opened a website that was not what you expected, but what they wanted you to open. It could have been a website designed to look like the real thing, but that asked for your security credentials. Or it could have been a website that asked you to install an application to get a gift or discount. The common element here is the QR code, wanted you to interact with the site so they could steal from you.
The new threat is even worse because it contains embedded scripts that can take over login pages or install key-loggers that can capture your keystrokes or activate other exploits. This is bad because it impacts your security and may do it undetected.
So, what should you do (or not do)?
- Do not scan an unknown or unsolicited QR code (or click an unknown link). Do not scan a QR code if you are not expecting one.
- Do not scan a QR code in an email or text that has a sense of urgency. Contact the sender directly if you think there is cause for concern.
- Do not provide login or other credentials after scanning a QR code unless you are certain it is a legitimate website that needs the information.
- Do be suspicious of a QR code with anything that seems threatening with a time deadline.
- Finally, do not rely on your anti-virus or anti-malware to protect you. Do not think that because you have an iPhone that it will protect you. You must protect yourself.
This type of threat is not going away. In fact, the more successful it is, the more it will be used. Stay safe out there!
Jarren Ringle is a member of SourcePoint and a volunteer instructor. SourcePointers come to Jarren for tutelage on their tablets, laptops, and the most popular of all devices – cell phones. He teaches various technology classes throughout the year including one-on-one sessions and group classes. Jarren also volunteers at the Delaware County Office of Homeland Security and Emergency Management. With many years of project management experience in various technology fields, he enjoys helping others with technology.
Technology 1:1 Assistance: Jarren Ringle provides guidance on technology in a 45-minute time slot. Do you have questions regarding a cell phone, PC, laptop or tablet? Share what the device is and what your question is upon registration so that Jarren can be better prepared to help. >> Schedule your 1:1