QR code attacks are on the rise

Most people with a cellphone or computer know by now to be aware of clicking random links without knowing where they go. They know to look for the one letter in the URL that’s different, like an uppercase I used in place of a lowercase L. But a technology that has become more popular in recent years is making it harder for users to recognize the scam.

The National Motor Freight Traffic Association’s 2024 Cybersecurity Trends report highlighted a rise in QR code attacks, called quishing, in which attackers manipulate QR code technology to trick users into visiting malicious sites so they can steal their data. More and more companies in the supply chain, including carriers, are using QR codes in their daily operations, and while there isn’t danger in their use with legitimate links, there are some concerns to be aware of.

NMFTA’s cybersecurity team said the QR code by itself is not the threat, but the information or action it triggers can be. Two chief information officers at two different trucking companies that use QR codes in one way or another agree the threat lies with the consumer or user. First Fleet Chief Information Officer Austin Henderson said this is just a new form of phishing and no different than getting a user to click on a random link.

“This is a risk but it’s, in my mind, not really the technology’s fault so much as it is the consumer pointing their camera at it who then provides details they should not,” Henderson said. “If you get a random text that says click here for your ‘benefit package’ or whatever, you then go to a site where you are phished; if you enter your credentials, that’s a user awareness issue, and you need something like KnowBe4 to train your users. This isn’t to me a risk in the technology but of the consumer.”

But carriers should be aware that bad actors can replace the carrier’s QR code with a malicious one. The matrix of little black and white squares can easily be created with a QR code generator and guide the user directly into the hands of a scam. And those malicious QR codes can easily be placed over the top of a carrier’s legitimate QR code, which could result in reputational damage to the carrier despite it not being their fault.

Partner Insights
Information to advance your business from industry suppliers

“The QR security threat is really when someone puts a QR sticker over something else with a malicious link. One place this has been seen is at airport bars and lounges with QR codes for menus, but it can be everywhere that someone can get to the code. Hackers overlay the QR part carefully or just reprint an entire sticker with the QR code pointing to their site,” said John Reed, CIO and executive vice president of information technology at Aim Transportation Solutions. “The QR code pointing to an app to download is no more of a security threat than it would be to print the URL pointing to it. There’s no inherent threat with having the legit QR posted for our servers. That said, could a person print up a sticker with a QR code and slap it over ours? Absolutely, but if we didn’t have a code there already, they could still just print the entire thing.”

Just like airport bars or restaurants, these QR codes could be lying in wait at places like truckstops for drivers to fall prey if they scan the code with their personal phone or company-issued phone that has access to company data.

The NMFTA cybersecurity team said the risks in warehouses and docks are increased even more since barcode scanning happens there all day every day and could be used for nefarious purposes if unchecked or unguarded.

[RELATED: NMFTA’s ambitious cybersecurity agenda for 2024]

And email is still a concern, too. As companies get smarter and enhance their cybersecurity around email, attackers are finding new ways to invade those systems, including with the use of QR codes.

“We have seen an increase in attacks like this where the attachment to corporate email accounts is say a PDF, and when you open it, there is a document that has a QR code, which the attacker hopes you scan with your phone,” Henderson said. “When you scan it with your phone, that traffic will not pass through firewalls and be inspected, so yes this is a problem, but it’s not any different than getting a random link on your phone.”

Henderson said user awareness and training is the proper path forward.

Mitigating QR code exploits

These are some of the tips NMFTA’s cybersecurity team offers:

• Before scanning a code, especially one on printed material in a public place, make sure it hasn’t been pasted over with a different and potentially malicious code. It’s best not to use QR codes that look to be altered in any way. Pay attention to the URL you’re being directed to, although this is not always possible to do before visiting the site, as some codes won’t show the URL beforehand.

• Never log into an app using a QR code.

• Be careful before trusting and scanning a QR code. First, ask yourself: Can you trust the source? Do you trust the poster, restaurant or the website that is showing the QR code? If someone left a handout on your car with a QR code, can you believe it?

• Only download apps from verified app stores instead of getting them through QR codes.

• Do not make financial payments through QR codes.

• Check for tampered QR codes (stickers) and compromised webpages requesting unnecessary personal information.

• Provide the minimum amount of personal information requested when completing online forms through QR codes.

• Once you scan a QR code, your device will ask if you want to act on the information it reads before it does anything. For example, if the QR code is a link to a website, your device will ask if you want to visit the site before going to it. Take time to review the call to action or the link itself and ensure you feel comfortable visiting it.

• Confirm your mobile devices are always updated and running the latest version of its operating system. This ensures that it has the latest security features.

• There is no need to install special mobile apps to decode QR codes. You should be able to simply use your device's built-in camera. If a website is requiring you to download a specialized QR scanning app, it is most likely counterfeit or fake.

• Think twice before providing confidential or personal information to any website that you reached via a publicly visible QR code.

Fleet/asset security

When using barcode scanners ensure these things:

• The QR scanners do not automatically fetch URLs in QR codes.

• If they automatically route to the internet, it should be to a fixed IP address/location.

• They should not be easily modified to be rerouted to an unintended site.

• Routine inspections to ensure legitimate QR/barcodes have not been replaced with malicious QR/barcodes.

Angel Coker Jones is a senior editor of Commercial Carrier Journal, covering the technology, safety and business segments. In her free time, she enjoys hiking and kayaking, horseback riding, foraging for medicinal plants and napping. She also enjoys traveling to new places to try local food, beer and wine. Reach her at [email protected].