You don’t have to look far these days to spot a QR code. From their humble beginnings in labeling and tracking parts used in vehicle manufacturing, these blocky little barcodes-on-steroids are being placed everywhere from product packaging, to posters and billboards, to magazines and newspapers.

They’re a jumping-off point from the offline to the online world – you just scan the code with your smartphone to launch the digital content triggered by the code. This makes them a marketeer’s dream because they make it easy to direct users toward information and services. What’s more, they still retain a certain cool and curiosity factor, with users enjoying the point-and-browse convenience they offer.

However, this also makes them useful to hackers as a social engineering tool, to exploit user interest and trust and direct them to malicious websites or malware. The concept of ‘drive-by downloads’ is already well established as a stealth weapon for stealing users’ sensitive details, and QR code offers a new angle on this old trick.

A matter of trust

The issue is that users have to trust the integrity of the code’s provider, and assume that the destination it leads to is legitimate. This is almost impossible for individuals to gauge, because the QR code actually conceals the site and content it leads to. And as we’ve seen in social engineering exploits from the email worms of the early 2000s, triggering human curiosity to see what might happen when an attachment is clicked, or a QR code is scanned, often leads to big security problems.


Furthermore, QR code-scanning applications running on smartphones can provide a direct link to other smartphone capabilities, such as email, SMS, and application installation – further extending the potential risks to mobile devices. Let’s look at how a potential QR code-based exploit could be mounted, and then at how to defend against it.

Code read

The first step in mounting a QR exploit is to distribute the code itself, to get it in front of potential victims. This could happen by embedding the QR code in an email – making it an elaborate phishing exploit – or by distributing plausible-looking physical documents with QR code on them, for example flyers at a trade show, or even stickers applied to genuine advertisement billboards.

Once the QR code is distributed, then the attacker has a multitude of scam options to choose from. At a basic level, the code could simply redirect users to fake websites for phishing purposes – such as a fake online store or payment site. This exploits smartphones’ small screens, and the fact that the user may be in a rush, to obscure the difference between the fake and real site in the hope of capturing more user details.