Logo Intuity

The revenge of the QR Codes

Share article

The new challenge of Cyber Security

Although QR Codes are not a recent invention, their use to date has been very limited. Its history begins within the industry It was invented in 1994.

It’s very similar to the barcode that we see on products at the supermarket, but it doesn’t have need a particular reader, our smartphone can easily read it with a QR scanner app or directly from the camera, if enabled to read.

The QR code (Quick Response) is a matrix barcode that can be read from an imaging device (camera), so that data can be processed. Thanks to the QR code you can simplify a multitude of tasks such as
Validate a ticket on public transport, save contact information, open URL of websites without having to digital the string on the search bar, scan a business card, make payments in stores and
supermarkets or still use mobile applications on desktops like Whatsapp or Telegram Desktop.
Most users who use QR codes are not aware of the that they may have security vulnerabilities. Furthermore, the low rate of use until the period of medical emergency, have a near total lack of information and awareness about IT risks associated with them.
The reason, however, is not only the low rate of use; it is considered a low impact risk.
Nevertheless, given their current use (including post-pandemic) in all product sectors, underestimate the level of security of the QR code could become dangerous.

Can QR Code be hacked?

Hacking a QR code would mean manipulating the action without change the code itself. This is not possible. So how can it harm the user? Hackers can use a QR code for various malicious purposes and in various ways. Here are some of them:


The most common violation is defined as Qrishing: many web ads use QR codes that point to the URLs of the sites, so that users can quickly scan the code to visit the site.
Right in this step, scammers try to deceive the naive user. Considering the impossibility of violating it, hackers try to change the QR code, applying a fake one on the original one in the various posters of
public places, so that users can reach the sites to which the QR code manipulated.

How do users fall for that?

Phishing pages look exactly the same as legitimate sites. On mobile devices, however, it is difficult to check the full address than to the browser from PC, since due to limited space, it is not displayed
the full address of the URL at the bottom left. Most people never check the full address, which makes the user (and the his credentials), increasingly vulnerable.

Malware via Download Attack

Scammers generally use malicious websites to distribute malware via drive via Download Attack. Nowadays, most of these attacks are carried out against Android users. This is a download forced software on your device while you visit the website. Visiting it is enough to activate the download action. These infected devices then can also send SMS to favorite phone book numbers, so as to generate
a dangerous chain reaction.

Potentially malicious browsers

A type of attack similar to the previous one, but it has nothing to do with the malware. Sometimes some websites may hide vulnerabilities even through the browser from which it is accessed. This can enable access to microphones and cameras, browser data or sending emails, with the aim of generate a DDOS attack against a legitimate website.

Manipulate QR code of corporate websites

The criminal can enter the website of a company and replace the QR code with a malicious one, since it would be unlikely to locate with the naked eye the code change. Scanning might:

  • Direct the user to a phishing URL, request credentials for take control of your personal accounts (email or social media).
  • Lead to a fake app store where you download malicious apps containing viruses, spyware, trojans or other malware

How to protect yourself?

Malicious QR codes have limited scope, but can still be harmful. So, you need to be prepared and take the right precautions:

  • Observe well before scanning: if you find a QR code in a any advertising banner in a public place, you have to watch it from close. Most of the time, scammers stick their QR code false on the legitimate one. We must therefore try to understand if it is real or less touching the poster making sure there is no other actually printed over.
  • Never give personal information or login credentials: be always suspicious of the page where you land via QR code. Do never share personal information or access data, unless is very reliable. Just enter the URL manually on the browser search bar. A simple gesture to Avoid any nasty surprises.
  • Look at the URL before proceeding: some scanner apps show also the actual URL before proceeding and ask to confirm if you want to visit the URL. This will help to know if the QR code is malicious or not. Norton Snap is a great solution that includes some Integrated security features.

Contact us here