QR Code Hijacking Attempts Are Pretty Inept


I've been writing about QR codes since 2007 - long before they were fashionable. Because QR Codes are so cheap to produce, there has always been a concern that attackers might print out their own codes and stick them over legitimate ones.

When I first wrote about QR Hijacking in 2011, I said that such attacks were usually easy to spot:

A poster behind some glass. A paper QR code is stuck on top of the glass. It is easy to see it is a replacement code.

Recently, a new wave of QR Hijacking attacks have been reported in Bournemouth:

A further warning about fake QR codes on parking ticket machines has been issued after new stickers were found in numerous beach resort car parks. When scanned the codes go to a fraudulent website. Further warning over fake parking QR code scam - BBC News

Let's take a look at some photos of the attacks. Then I'll explain how to prevent them.

First up, this photo from Bournemouth, Christchurch and Poole Council's Facebook page:

A car park payment information screen. There are two fake QR codes stuck to it.

These are pretty crappy attempts! The original code in the top right corner has been covered, which might fool some people. However, it is pooly aligned and sized. The other code is sloppily placed in the middle of the text. It doesn't look convincing. While the codes may have looked legitimate when first placed on, ten minutes in the English rain makes it apparent that they are paper forgeries.

And then there's this QR code randomly stuck on to a parking machine: A paper code stuck onto a payment machine.

The URl it goes to is superficially convincing - fee-parking-pay.info - but let's take a closer look:

Close up of the code.

It has been inexpertly cut out, it is too large for the space provided, and is clearly stuck on. Rubbish!

Finally, there's this sticker found by Bournemouth Police:

A small QR code sticker being pealed of a sign. The original QR is underneath it.

This one is much harder to spot! It's about the right size and shape. It looks well aligned and the paper hasn't degraded. But do you notice what's printed above it? The official URl. And that leads me on to…

How to Prevent QR Code Hijacking

Putting QR codes behind a glass screen isn't always practical, and reflections in the glass can make it hard to scan a code. It's difficult to make a code physically inaccessible for a scammer while also making it easy to scan.

The number one thing to do is display the official URl nearby.

Every QR scanner that I know shows you the URl before opening the page. Every web browser shows you the full URl of the site you're on.

If someone scans a code which goes to totally-official-parking.biz but they can see the parking sign says pay4parking.gov.uk then they are much less likely to fall for the scam.

You can do fancy things like incorporate a logo into you QR, or print it on a coloured background, or have people regularly check your codes for signs of tampering. Those might keep your users secure, but can be bypassed by a sufficiently determined attacker.

A large printed URl isn't infallible, but it is much harder for an attacker to deface a large area of a poster than it is to cover a small QR square.

As for what to do if you're worried about the legitimacy of these codes:

Anyone worried about paying online for parking can also pay by debit card/contactless or cash at a parking meter. BCP Council


Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

3 thoughts on “QR Code Hijacking Attempts Are Pretty Inept”

  1. Joker_vD says:

    Of course, it requires the official authorities to be competent enough to not, e.g. move the web domains around for no particular reason and then instead of re-making the billboards opt to put stickers with corrected QR codes on them until the next fiscal year arrives.

    Relatedly, anti-reflective glass coatings exist but are almost never used on... whatever those glass-sandwiched ad billboards are called.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">