What a game! Another Superbowl in the books. Almost everyone saw the Coinbase commercial where they showed a QR code to enter a contest to win Bitcoin. After seeing this, it made me think, “Wow, this is an excellent social engineering tactic!” By advertising during the Superbowl, Coinbase reached over 100 MILLION viewers, significantly increasing the likelihood of a massive amount of people scanning the QR code.
https://youtu.be/1zLsUhOCqyU
Coinbase’s Superbowl QR code commercial
If you don’t know what social engineering is, it is hacking human emotions. The attacker takes advantage of one of their victim’s emotions, whether it be fear, hope, a sense of urgency, etc., to get them to do something without thinking. When most people scan a QR code, they probably don’t read the link before going to it. When there is a sense of hope to win money, it will lower the likelihood of someone verifying the link beforehand.
You may have noticed that QR codes have become popular in several restaurants during the pandemic. Most restaurants have the QR code posted on your table to scan and view the menu. This is another scenario where you want to be cautious of the codes you scan. It takes minimal effort for someone to print out a code and tape it over the code on a table at a restaurant. Like the Superbowl scenario, the victim will likely click the link without looking because they are eager to view the menu and order their food, or they just didn’t think to browse to the website..
Suppose you are paying attention and looking at the link but see TinyURL or Bit.ly. In that case, it is easy to customize a URL with a URL shortener to trick the unsuspecting victim. This may lead the victim into going to a site that could be malicious, and it could expose your device, home network, or organization to unwanted malware. Be extra cautious with URL-shortened links, as you won’t know the actual endpoint.
The best advice for QR codes is to be cautious when scanning them. Try to navigate to a website using your browser instead of scanning the code, even though scanning the code is much more convenient. If you are at a restaurant, it is better to scan a QR code on paper handed to you by staff instead of one on a table. Again, the preferred method over both of those would be to navigate to the restaurant’s menu with your browser.