Voir en

français

Computer Security: “Check me” comes before “Scan me”

Like with any other malicious URL, letting one malicious QR code through can put your digital life at risk

Computer security blog
(Image: CERN)

Remember our article on “The truth lies in the URL” about our latest phishing campaign and the risk to your device, your account and your digital life when clicking on the wrong – malicious – URL, the wrong “link”? Unfortunately, in this “Covidised” world, URLs now come more and more frequently in another form – as QR codes (see images below).

QR codes are used to access a dedicated webpage, e.g. to make a restaurant reservation or to provide personal details for COVID-19 tracking. Taking a photo of a QR code with your smartphone opens the intended webpage in your browser. Easy as pie.

home.cern,Computers and Control Rooms
Colours are arbitrary and used here just to distinguish the good from the evil.

But wait! While it’s easy for your smartphone to tell what those patterns ought to be, our human eye is innocent and fails. Is this a good QR code? Is this a malicious one? Like with “standard” URLs embedded in emails, attachments, WhatsApp or Facebook messages or even text messages, you have to make the final call. You have to (try to) judge whether the URL embedded in the QR code is reasonable, expected and non-malicious. Like when you hover your mouse over a “standard” URL when using a laptop/PC, your smartphone should display at least the beginning of the URL (for the examples above, “cern.ch” and “cern.cg”). Check this URL and continue only if it looks right to you. Admittedly, it’s often hard to tell, but it’s still better to be safe than sorry. Otherwise, like with any other malicious URL, letting one malicious QR code through can put your smartphone and, hence, your account and subsequently your digital life at risk. So, please, watch out, be vigilant and STOP – THINK – DON’T CLICK!

For those who want to create their own QR code, e.g. to direct people to a website or as a link to a conference paper or other supporting material, make sure that the embedded QR is “pure” and only contains the URL you intended to provide. Some online QR generators embed additional information in the URL such as webpage redirection or id tokens that are used for tracking purposes. Please refrain from doing so*. Thanks!

* https://zxing.appspot.com/generator, for example, generates pure QR codes.

______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.