QRL Jacking: Protect Yourself from QR Code Phishing and Boost Your Security Awareness

Quick Response (QR) codes is a form of two dimensional matrix barcode that can store information in a grid of black and white pixels which creates a unique pattern. QR codes are useful as a pointer to bridge the physical and digital worlds. With the convenience of using a mobile device with QR codes scanner to scan and decode, the user can access digital information, pair with another device or authenticate into a system. With its rapid adaptation by everyone and various sectors everywhere, it is no surprise that phishers took advantage of the vulnerability of QR codes to launch their attacks. Phishing is an attack of trying to “fish” sensitive information such as login credential or bank account information from the victim, whether through social engineering or technical vulnerabilities.

QRL jacking is a QR code phishing attack where attackers hijack the authentication process using malicious code or software to redirect users to a fake website or app. Attackers use a valid QR code to entice people to scan it in this attack. Instead of taking the user to the desired page, the redirection instead takes them to a fake website where the attackers can steal their personal data or insert malware. QRL Jacking is a type of social engineering attack that specifically targets apps that employ "Login with QR code" as a login method. The strategy behind the attack is to lure the victim into scanning a malicious QR code, which would then result in the hijacking of their session and give the attacker unauthorized access to their account.

Most countermeasures focus on the digital signing or encryption of the data to protect the integrity of the data from manipulation. The use of third-party detectors to detect for phishing links can be incorporated into the scanner for added protection. Besides this, user awareness and education of the dark side of malicious QR codes is very important, which is discussed in this article. Capsuled version of QR code security awareness is given below:

• Always verify the Source: Only scan QR codes from trusted sources. If you receive a code via email, text, or from an unfamiliar website, ignore it or open it using sandboxing apps to make sure of the content.
• Inspect Before You Scan: Look for any signs of tampering, such as overlapping stickers or altered designs on the QR code intended to scan.
• Always use a QR Code Scanner with Security Features: Opt for scanners that include phishing detection or warning features. These can alert you if the link is suspicious before you open it.
• Avoid Scanning Codes in Unfamiliar Locations: Be wary of QR codes in public places. For instance, QR codes found on posters or flyers or on sidewalks that feels strange. Cyber attackers commonly use this strategy in high-traffic areas.
• Shortened URLs and check for HTTPS: If felt suspicious on scanning a QR code, use apps which do sandboxing or use a URL expander tool to reveal the full link before clicking. Also, ensure the URL begins with "https" to confirm it is secure before entering any personal information.
• Regularly Update the device: Keep your smartphone and scanning apps up to date to protect against security vulnerabilities that could be exploited.
• Regularly clear the cache memory: Cached data can be used by malicious sites to track your online behavior. Regularly clearing the cache minimizes this risk.
• Report Suspicious Codes: If you encounter a QR code that seems suspicious, report it to the relevant authorities or the platform where you found it.
• Limit Sensitive Transactions: Avoid entering sensitive personal information (like passwords or credit card details) after scanning a QR code unless you are certain of its legitimacy.

As QR codes become increasingly common in our daily lives, it’s crucial to protect ourselves from potential threats like QRL Jacking. Share this information to help raise awareness about QR code safety. Just remember, when in doubt, don’t scan!