QRsiren | Quishing

Quishing

Introduction

Have you noticed how QR codes are found everywhere these days? Well, so have the scammers, and they will try all manner of tricks to trick you. Quishing (or phishing for QR codes) involves tricking someone to scan a malicious QR code.

The QR code then redirects to a malicious website that might download malware or ask for sensitive or financial details - all without you ever noticing.

In the example above, a malicious actor has conducted a Quishing attack by sticking a malicious QR code onto a parking meter, which takes the user to a spoofed copy of the original website using a similar URL.

Quishing

Quishers (the scammers) design fake QR codes that look authentic, and often stick them over the original valid QR codes (such as on posters, parking meters).

Here's how it works:

Scammers create malicious QR codes to imitate legitimate ones, and place them in public places where they are likely to be scanned.
When scanned, the QR code will redirect your web browser to a malicious website (often cloned to look like the original).
Once you input your details on the malicious site, the scammer steals your data or money and posts your credentials on the dark web.

Detection

It isn't always easy to detect a malicious QR code, as they are well designed and look professional. QRsiren uses a combination of manual verification, crowd analysis and artificial intelligence to verify a QR code. It is then given a score and simple to understand analysis to help you decide if you want to visit the site.

However, here are some thing to look out for:

QR codes on a sticker or distorted.
Redirects to a URL with suspicious characters.
Web contents that do not look right.
Websites that ask for sensitive details when not expected.

Prevention

Believe it or not, there's a lot of things you can do to ensure you don't fall to a quishing scam:

Only scan codes from trusted sources.
Check the printed code to ensure a malicious QR code hasn't been stuck over the original.
Check the URL of the website you're directed to, and if it looks suspicious - don't visit.
Don't enter personal information on unfamiliar websites (scanned from a QR code).
Keep your device's software up to date to protect against malware.

Finally, consider using a trusted and secure QR code scanner, such as QRsiren. Whilst many of today's smartphones come with a built-in QR code scanner, they often don't analyse the QR code and will open the target URL automatically.

QRsiren is the first QR code scanner to offer intelligent scanning using a combination of crowd analysis and artificial intelligence. This data is then used to build up a vast database of good and bad QR codes around the world.