On June 27, Chinese Internet giant Tencent posted on Weibo in response to a recent incident involving its messaging software QQ, in which a large number of users' accounts were hacked.
(The Post on Tencent QQ's Weibo Account)
In the post, Tencent stated "The main reason (for the theft) is that users have scanned QR codes forged by criminals to log in to games. The activities were hijacked and recorded by hacker gangs and subsequently used to send malicious picture ads. "
Data leaks associated with QR codes are not uncommon today due to their widespread use. Nonetheless, this incident may serve as a reminder that it is vital to avoid accidentally disclosing personal information when scanning these machine-readable optical labels.
1. QR code utilization in China
QR codes were invented by Masahiro Hara of Denso Wave, a Japanese company that focuses on automatic identification and data capture. To some extent, a QR Code is an enhanced version of a barcode with a much greater capacity to store information.
It is simple to generate QR codes: a geometric figure is distributed in two dimensions under the arrangement rule, and black and white blocks are used to record the data symbol information. Black blocks represent binary "1", and white blocks represent "0". By recognizing the colors and arrangement, the camera on a mobile device can decipher the information contained in a QR code.
China is currently one of the major users of this technology. The rapid growth of smartphones and the rise of the Internet have enabled QR codes to become popular among the public. Today, both large and small businesses are making efforts to adopt this technology in order to increase their efficiency.
QR codes were initially part of WeChat's built-in functions and soon became an essential part of its ecosystem. As Tencent and Alibaba competed in the e-payment market, QR codes gained increasing recognition in the country accompanied by support from small and medium-sized businesses. Paying by QR codes is more cost-effective than other methods as it only requires users to scan with a camera, which does not need a POS device or NFC capability.
QR codes have similar practical applications to short URLs, which allow instant access to websites, data, and other information. As the public relies more on QR codes, criminals also abuse their features in various manners.
There is a common understanding that you should not click on links from unknown sources, but if links are converted into QR codes, you may let your guard down. At first glance, QR codes look the same: no domain name, web page, or application visibility. With the effortless action of scanning, potential cyberattacks have an effortless path to exploit.
2. A hidden threat of convenience
Fraudulent use of QR code technology is not difficult, as QR code generators are easily available, and code distribution is not restricted. In many cases, QR codes are used by criminals to redirect users to phishing landing pages.
Malicious attempts made via QR codes could be various:
- Faking the code
It is not a sophisticated trick, but if you are not careful, you may fall victim to it. The attacker may place a fake QR code next to the original one; users may scan the fake QR code and immediately proceed to the false payment interface. Therefore, be careful when scanning QR codes placed side by side, especially those printed on paper.
- Phishing caused by QR code similarities
This means an attacker could use a forged QR code to direct the user to a plausible phishing site since QR codes are difficult to distinguish from each other. Criminals may manipulate the user's account by requesting authentication information to gain control. It is a form of phishing.
- Free WiFi trap
The attacker uses the offer of free WiFi as bait, misleading people to scan the forged QR code. After connecting to the device, the attacker can intercept the data shared by the user and steal personal and account information that can be used for identification.
- Potential Trojan horse
Victims could be asked to scan a QR code to join the membership and then get infected with a Trojan horse virus. Alternatively, users may be directed to non-official app stores to download software or apps containing Trojan horses or other malicious viruses, resulting in data leaks and privacy breaches.
3. Think twice before you scan
Developers from our reader community also shared their opinions regarding QQ account theft and QR code security:
- For individual users: QR codes are not a threat, and only scan your trusted codes.
【Hmxingkong】: "Scanning codes itself is not a problem; the key is that the code has been replaced as the entrance to the phishing system, which makes it more difficult for victims to identify the attack."
Scanning a code is not recommended if you cannot verify its authenticity from visual inspection.
【COW】: "Use your account only on trusted devices."
Individuals should avoid scanning QR codes on uncommonly used PCs or from unfamiliar websites; scan codes from trusted sources, and double-check all pre-login prompts.
- For organizations: use customer data with care.
【Da Ping Guo】 "Depending on business patterns, enterprises should compulsorily delete user data stored in them after three to five years. If it is impossible to prevent data leakage, the data should be formatted within a certain period. "
Increasing awareness and strengthening conscious prevention measures are essential for businesses and platforms.
First, enterprises should carry out regular credit checks on websites and applications to ensure that no unauthorized alterations made to their codes and links.
Second, organizations must improve their employees' awareness of cybersecurity by implementing unique passwords, multi-factor authentication, and providing specific training for remote workers.
Moreover, enterprises should find a way to disable automatic jumping for some apps and allow users to preview websites before visiting them to determine whether they are reliable.
Conclusion
Nowadays, inadvertent breaches of personal information seem unavoidable. There is a possibility that QR codes will be utilized more frequently in the near future, and criminals may use a variety of more sophisticated methods to commit crimes. Therefore, it is vital to warn individuals and organizations of the greater risks associated with QR codes and to develop tools and solutions that can be deployed early to prevent related security breaches in the future.
References:
https://threatpost.com/qr-codes-sneaky-security-threat/159757/
https://baijiahao.baidu.com/s?id=1736781617963575083&wfr=spider&for=pc