What is a QR Code and How Does it Scan?
A QR code is a scannable barcode that contains numbers and characters embedded in a two-dimensional arrangement of squares. When a user scans the code, the app translates the pattern into data.
Dynamic QR codes contain information that can be changed after it is created. Usually, a short redirection URL takes the user to a destination URL, where the actual content lives. That content can easily be changed: We see this with restaurant menus where the content changes daily, yet the QR code remains the same. Dynamic QR codes allow scanning and use to be tracked, making them useful for marketing purposes.
How Hackers Exploit QR Codes
There are a number of ways that QR codes can be exploited:
Counterfeit Codes. Hackers can print their own QR codes and paste them on top of printed QR codes that appear on posters and in public locations. The bogus code directs users to a malicious or fraudulent site.
QRishing. A malicious QR code sent via email, text or other method could lead users to a phishing site that looks like the legitimate website of a trusted institution. Users enter sensitive information such as banking credentials or Social Security numbers, unaware that they have been redirected.
Malware. Hackers can embed malware into a QR code or link users to a site that contains a virus, keylogger or other malware. In some cases, merely scanning the code can do damage, extracting valuable information such as banking login credentials.
QR Hijacking. When a QR code is sent via instant messaging, social media, text or other method, the code could initiate an action on a smartphone, such as launching a payment app, following a malicious account on social media, adding a malicious Wi-Fi network or more. Hackers also can use QR codes to write emails or text messages or make phone calls. Because a QR code can store a lot more data than a URL — more than 4,000 alphanumeric characters with spaces — the possibilities are endless.