The Olympic and Paralympic Games represent the highest levels of achievement in the athletic world, celebrating hard work and perseverance of its participants. But at the 2022 Beijing Games, a different type of persistent activity is being spotlighted: cyber threats.
To mitigate against what they’re calling “malicious cyber activities,” the Federal Bureau of Investigation (FBI) urges U.S. athletes to leave personal smartphones at home and instead use temporary devices.
“Burner” phones are actually more commonly used than we think, and we're not just talking about unlawful activities. Organizations would often ask employees to use different devices when traveling to higher risk regions. In fact, as an alternative to using temporary devices, a global news organization is currently providing Lookout Mobile Endpoint Security to its reporters in China to protect them.
While there are countless types of threats, one of the most common is phishing. And threat actors have found that QR codes are one of the most effective ways to deliver malicious links. Whether you’re a journalist covering the Olympics or just going to a restaurant in San Francisco, you need to understand that while QR codes make contactless interactions seamless, they also make it easy for attackers to send you malicious links. Once a credential is stolen, it makes it easy for attackers to steal personal and corporate data alike.
QR codes are becoming a part of everyday life
Historically, attackers relied on sending phishing URLs via email to desktop users with hopes of stealing corporate data — either by tricking users into installing malware or unknowingly handing over login credentials. But this changed with the proliferation of mobile devices. Nearly all mobile applications with messaging functionality, such as social media, third party messaging apps, gaming and dating platforms, can be used to deliver phishing attacks.
Within popular apps like Snapchat and WhatsApp, QR codes are used to sign into accounts, exchange contact information and make money transfers. As businesses try to create a contactless experience amid the pandemic, many have turned to QR codes. For example, it's now common practice for restaurants to use QR codes to link to their menus or provide contactless pay options.
At the Beijing games, QR codes are a huge part of everyday life. The Chinese have relied on them for years, and now they’re using QR codes at the Games for everything from accessing training centers and hotel facilities to testing for COVID-19. While the codes make navigating activities at the Games easy and contactless, it creates opportunities for them to be abused for phishing purposes.
A low-tech, yet highly effective phishing method
QR phishing attacks are on the rise because they require so little effort to be successful. For one, the codes are physical displays, meaning a harmless one can easily be covered with a nefarious one that brings users to a malicious website. This makes it easy for cybercriminals to “display” the legitimate site that steals login credentials or installs malware.
QR phishing is not just an effective method to attack individuals, they can also be used to steal corporate data. For example, your employee could scan a code that leads to a fake bank login page. Once their login credentials are entered, an attacker can use software that crawls the internet for other sites with that employee’s username. If your employee uses the same login credentials across multiple accounts, including ones related to work, an attacker could gain access to your organization’s infrastructure.
How to safeguard against QR code phishing
Since the beginning of the pandemic, we’ve all become accustomed to using QR codes as part of our daily lives. In fact, the FBI just warned about QR code phishing in January. To ensure we protect ourselves and our organizations, education is the first line of defense.
For the Olympians and journalists in Beijing, using temporary phones and recognizing the dangers of QR codes can lower the risk of encountering these phishing attacks. We recommend thinking about QR codes the same way you think about other phishing tactics like email scamming and social engineering. Always check the URL on the notification before clicking to be redirected. If the URL does not look like a trusted source or differs from the known company’s URL, exit out of the notification.
But beyond that, organizations also need to look into solutions that can protect their users and data from all internet-based attacks regardless of where they are in the world. Lookout Mobile Endpoint Security and its Phishing and Content Protection module secures your data from threats such as malicious sites, spyware, adware, ransomware, phishing attacks and botnets. It only allows sites that are safe for your user, while blocking phishing and malicious content.
To learn more about why internet-based attacks are a huge issue, check out the Phishing Spotlight Research Report.