Anti-Vaxxer Hijacks QR Codes at COVID-19 Check-In Sites

The perp faces jail time, but the incident highlights the growing cyber-abuse of QR codes.

Quick-response (QR) codes used by a COVID-19 contact-tracing program were hijacked by a man who simply slapped up scam QR codes on top to redirect users to an anti-vaccination website, according to local police.

He now faces two counts of “obstructing operations carried out relative to COVID-19 under the Emergency Management Act,” the South Australia Police said in a statement announcing the arrest. His arrest may just be a drop in the bucket: Reports of other anti-vax campaigners doing the same thing abound.

Law enforcement added an additional warning to would-be QR code scammers: “Any person found to be tampering or obstructing with business QR codes will likely face arrest and court penalty of up to $10,000.”

The police said no personal data was breached, but the incident highlights that truly all an attacker needs is a printer and a pack of Avery labels to do real damage.

The 51-year-old anti-vaxxer in question. Source: Adelaide Now.

In this case, the QR codes were being used by the South Australian government’s official CovidSafe app to access a device’s camera, scan the code and collect real-time location data to be used for contact tracing in case of a COVID-19 outbreak, ABC News Australia reported.

That’s a lot of personal data linked to a single QR code just waiting to be stolen.

“In this instance, people who scanned the illegitimate QR code were redirected to a website distributing misinformation from the anti-vaxxer community,” Bill Harrod, vice president of public sector at Ivanti, told Threatpost. “While this is concerning, the outcome could have been far more perilous.”

QR Code Use, Abuse on the Rise

Despite the apparent ease with which they can be abused, QR code use is on the rise. Just this month, Ivanti released a report that found 57 percent of survey respondents across China, France, Germany, Japan, the U.K. and the U.S. had increased their QR code usage since March 2020.

QR codes have become a quick, contactless way to read menus, check into appointments and more since the start of the COVID-19 pandemic. And where there’s valuable data left unprotected, cybercriminals are guaranteed to show up right on time.

zoho webinar promo

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

“Hackers have been known to create adhesive labels with malicious QR codes and paste them over legitimate QR codes, allowing them to intercept or sit in the middle of transactions and capture payment information,” Harrod said.

Ivanti noted in its report this type of “adhesive” malicious QR code attack had already been observed being used to steal payment information in places like restaurants and parking garages. Malicious QR codes are also used to steal credentials in phishing and malware attacks.

The situation is so bad that the Army’s Major Cybercrime Unit issued a warning in March and also cautioned “users to be wary of suspicious quick response codes.”

The Army recommended users avoid scanning random QR codes, be extremely cautious about entering any credentials after scanning and suggests if a QR code appears to be applied on top of another, ask about its legitimacy.

“The problem is that, by design, QR codes are not human-readable, and therefore nearly impossible to detect if the link to which the quick-read code directs the user is safe or malicious,” Harrod explained by email. “For years, we have encouraged users to be aware of links before they click on them and to look for tell-tale signs in the URL that it may not be trustworthy. However, with QR codes, there is no way for users to know before they get redirected.”

Check QR Codes Leading to Bit.ly Links

Harrod said based on Ivanti’s research, users should preview any bit.ly links that appear after scanning a QR code.

“Bit.ly is a free URL shortening service that can also be used by hackers to disguise malicious URLs,” Harrod advised. “The good news is you can safely preview a bit.ly link by adding a plus symbol (+) at the end of the URL. This will direct you to a page displaying the link’s information so you can determine if it’s legitimate or not.”

He added  that, when possible, avoid the security risk of QR codes altogether by opening a browser and viewing the information through a business website.

It’s also critical that users understand the security protections on their device, he said, adding that Ivanti found 49 percent of users said they have no idea whether they have any security installed at all.

“Ivanti’s recent research shows that users typically have no idea what kind of security exists on their mobile devices, which can create huge security gaps on devices that also access company apps and data,” Harrod said. “Ensure that you have software active on your device that will help to detect and remediate malicious code and threats to the mobile device.”

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.

Suggested articles