Use of QR codes is becoming a mainstream part of advertising, but also is getting the attention of scammers intent on redirecting you to a malicious site they control.
One of the oddest commercials during the superbowl was the bouncing QR code ad from Coinbase. Used as part of their $3 million giveaway, the ad was designed to stand out by looking innocuous compared to the traditional “over the top” ads we’ve all become accustomed to.
The use of QR codes makes it materially easier for the average consumer to be taken to a particular web page or spot within an app, but it’s also the playground for cybercriminals. I recently compared the use of QR codes by threat actors to being “Rick-Rolled”; the victim is presented a legitimate-looking opportunity to find out more information – whether that be online or in real life – and is instead taken to a spoofed website that will take the victim for every bit of personal and payment detail it can. Our security awareness advocate, Javvaad Malik, also recently provided an overview of the tactics used in QR code scams (including a few benign examples).
The use of QR codes by Coinbase isn’t bad and certainly isn’t malicious in intent or nature. But the increased exposure and normalcy established by such ads where people begin to expect to see QR codes in everyday life means that they should also expect to see cybercrimes based on malicious QR codes abound. So, to paraphrase an old adage, "scanner, beware!"
Here's how it works:
