You’ve been “cyber attacked”! Don’t worry, this is part of an official Defence Academy cyber security exercise arranged by the HQ J6 team, as part of the “Cyber October” awareness campaign.
Please read the article below to find out more about QR codes and attacks such as the ‘overlay attack’ you’ve just experienced. You don’t need to do anything else, and you do not need to report this.
Understanding the hidden dangers in everyday scanning
Quick Response (QR) codes have become ubiquitous in our daily lives, offering a convenient way to access information, make payments, and engage with digital content. However, beneath their surface there are security risks that can endanger both personal and professional environments.
QR risks and attacks
Overlay attacks
Overlay attacks are a form of cyber-attack where malicious QR codes are placed over legitimate ones, covering the original code. The ‘fake’ codes can be used to direct people to websites which install malware software, steal personal information, or obtain money from users. In a recent local example, criminals carried out an overlay attack within a private car park – replacing the genuine payment QR code on ‘How to Pay’ signage with their own. This overlayed QR code took people to a fake payment site. People only discovered they were victims of this attack when they received a subsequent parking fine notice.
The ease with which QR codes can be replaced without notice makes it a pervasive threat in everyday settings.
Phishing Scams
QR codes are frequently used for payments, accessing websites, or downloading apps. Phishing scams can exploit this by embedding malicious QR codes in emails, flyers, or even social media posts. When scanned, these codes can lead to fraudulent websites
that capture personal data, such as bank account details or social media credentials, causing significant financial and privacy repercussions. QR codes can also be used to trick users in to downloading applications which are loaded with malware. QR codes within emails can easily be substituted or exploited with code-injection attacks, URL hijacking and other common cyber-attack techniques,
Noticeboard vulnerability
Another risk to defence is the exposure of QR codes on noticeboards in public or private locations. When personnel scan a QR code in such areas, they are using the camera within their smartphone and an application to scan the code. There are risks associated with using third-party QR code reading applications (which require permission to use your camera) which may originate from untrusted sources, and the potential exfiltration of imagery in the vicinity of the QR code.
Use of QR codes at the Defence Academy
Due to the inherent security risks, QR codes should not be published within the Defence Academy unless assessed and approved by the HQ J6 IT Security team.
Staying Safe
To mitigate the risks associated with QR codes, consider the following safety measures:
- Verify the source: always ensure the QR code is from a trusted and legitimate source before scanning
- Wherever possible use the manufacturer provided camera app on your smartphone if you want to scan a QR code
- Download apps to your device from official app stores rather than by scanning a QR code to download
- Manually search for the web site of interest using your browser app rather than scanning a QR code when wishing to access advertised content
- Avoid public scanning: refrain from scanning QR codes in public places where tampering is possible