Checklist 340: QR Codes and Magic Doors

QR Codes: From Pandemic Convenience to Phishing Threat – Beware of Malicious Redirects

QR codes, once a convenience during the pandemic for touchless interactions, have become a vehicle for cybercriminals to phish valuable credentials. As QR code familiarity grew during lockdowns, so did their misuse by bad actors. A recent report highlights a concerning trend of QR codes being utilized to steal Microsoft account credentials in various sectors, including energy, manufacturing, insurance, technology, and financial services.

• QR codes, initially popularized for touchless interactions during the pandemic, have been exploited by cybercriminals for phishing campaigns targeting valuable credentials.
• SecurityWeek’s report reveals that malicious QR codes embedded in PNG images or PDF documents are used to execute phishing attacks, with hidden phishing links.
• Threat intelligence firm Cofense’s research indicates that over 1,000 phishing emails have been identified, with specific targeting:
  • 29% aimed at US energy companies
  • 15% at manufacturing firms
  • 9% at the insurance industry
  • 7% targeting technology companies
  • 6% targeting financial services
• The phishing attempts employ malicious redirects, enhancing the credibility of fake websites. This redirection technique can be difficult to detect on mobile devices, where only the domain is displayed.
• Forbes advises individuals to recognize redirects, implement robust security controls, and avoid implementing redirects in their architecture to counter such attacks.
• While mobile devices initially didn’t display redirections associated with QR codes, recent developments show modern devices now show the embedded artifact and ask users to verify URLs before launching browsers.
• Cofense suggests companies educate employees to refrain from scanning QR codes from suspicious emails to avoid phishing attacks.
• Previous coverage from The Checklist emphasizes caution and provides tips for avoiding QR code scams, including inspecting URLs, checking for physical tampering, and enabling multi-factor authentication.

The evolution of QR codes from a pandemic-era convenience to a phishing threat underscores the importance of cyber vigilance in the face of changing tactics by cybercriminals.

Apple Faces Showdown with UK Government Over Encryption and Security Measures

In a brewing clash over privacy and security concerns, tech giant Apple is threatening to withdraw popular services like FaceTime and iMessage from the United Kingdom. The confrontation stems from the UK government’s proposed updates to the Investigatory Powers Act, which Apple believes could compromise the security of its iOS, iPadOS, and broader ecosystem.

The UK government aims to enforce stringent regulations on messaging services, demanding that security features be approved by the Home Office before release and allowing authorities to require the disabling of security measures without public disclosure. This move, the government argues, would enable the scanning of encrypted messages for illegal content while keeping encryption intact – an approach experts deem implausible.

Apple’s objections include the requirement to notify the Home Office of security feature changes, globally applicable changes that undermine end-to-end encryption, and immediate action upon receiving a demand to disable features. The company contends that the proposed amendments pose a grave threat to data security and user privacy.

The UK government’s stance revolves around the belief that it can strike a balance between encryption and access to specific information, particularly related to child exploitation and abuse. However, experts have criticized these assertions as delusional, asserting that no existing or in-development technology can scan messages for illegal content without compromising user privacy.

Matthew Hodgson, CEO of secure messaging app Element, states that the government’s lack of understanding regarding encryption and technology persists, even after experts have explained the intricacies to them. The UK’s “Safety Tech Challenge Fund” has failed to produce a viable solution that scans messages without undermining encryption.

Apple’s response to the government’s proposals has been robust, with the company vowing not to weaken security features for any single country, as such changes could jeopardize the security of all users worldwide. Moreover, some security modifications might necessitate public software updates, dispelling the notion of secret implementations.

While the UK government claims public support for its proposed measures, including the ability to identify child abuse in encrypted messages, Apple’s threat to withdraw services could put this sentiment to the test. The potential removal of services like FaceTime and iMessage, if the laws are enacted, raises questions about the government’s commitment to striking a balance between security and privacy.

As this confrontation unfolds, the tech industry and privacy advocates will closely monitor the evolving discourse between Apple and the UK government, with potential ramifications for users’ data security and messaging services in the region.