What is a QR Code attack?
Most people are aware of QR codes now and how often they can be used - they are an easier option than typing in a link on your phone:
They are used in places like restaurants, parking lots, museums, etc. to allow visitors to easily scan the code and view things such as menus, pay portals, or extra information.
With QR codes being so prevalent in society, QR code attacks are also becoming increasingly more popular. If you scan these QR codes, they can make you browse to a malicious website, and maybe a login screen to steal your credentials.
Or, they could download a malicious file onto your device – this could be a keylogger (records your keystrokes), or a file which runs malicious code on your device to steal your data. If you see a QR code in an unusual place, do not scan it.
What if a QR code is in a place you’d maybe expect one to be?
Check around it, does it look like it’s covering another sticker/sign? Are there other ways to get to the site you need to be on? If there is, do not scan the QR code and use the alternative route. Usually, places that use QR codes
also have a secondary option (e.g. an app, or a web address) which you can use to access the service directly.
If you are ever in doubt, do not scan the QR code and go to a recognised webpage instead and, if you can, report the QR code to the company.
If you see a QR code on the university campus that you are not sure about, do not scan it. Report it to Digital Service via Solve for further investigation.
How do these work?
QR codes work similarly to barcodes you see in a shop. The unique pattern of black lines/blocks and white
spaces allows your camera to read data from it. The data is held in the pattern both vertically and horizontally, which allows it to store a large amount of data (like a file, for example). The code does not necessarily have to be
scanned in the correct orientation either, it could be scanned upside down or “wonky” and the camera will still pick it up due to the orientation markers embedded within the code.
Once the code is scanned, whatever the threat actor has embedded into it will be executed on your device. Luckily, most devices will give you a prompt to confirm if you would like to open the QR code data, which stops someone from accidentally scanning and opening it – take that moment to think about whether the QR code is legitimate, or not.
If the QR code leads to the download of a file which runs malicious code, and if you miss the notification of the file being downloaded, you may never know that it has been downloaded onto your device as this code could run in the background silently. If you scan a code and see a file downloaded when you were not expecting it, locate the file, remove it from your device, and wipe your device (factory reset) to remove any damage that the malicious code may have already done.
If you have fallen victim to this scam and your student account or a student device may be affected, please reset your password immediately from a different (non-infected) device and contact Digital Services – they will be more than happy to assist!
