Researchers from the Carnegie Mellon University’s CyLab have released the results of a study – “QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks” – which focuses on phishing attacks that rely on QR (Quick Response) codes.
QRishing is a term utilized for phishing attacks initiated via the scanning of QR codes. Such attacks are not new, but in the past period researchers have started examining them because they’re becoming more and more common.
The experts conducted two experiments. One of them focused on observing how users interacted with QR codes, in order to determine the proportion of individuals who scan them but choose not to visit the associated website.
The second experiment involved the distribution of posters containing QR codes in 139 different locations to see just how successful such phishing attacks can be.
The results are certainly interesting. The first experiment has shown that 85% of those who scanned the QR codes visited the associated websites.
In the second one, the flyers were scanned by 225 individuals in the course of four weeks. All of them visited the associated site after scanning the QR code.
Over half of them also took part in a survey that allowed researchers to determine some key aspects.
83% of them have indicated that they know what a QR code is. Although some users aren’t familiar with the term, they know how it works if they’re presented with one.
Of those who scanned the flyer, 75% claimed they did it out of curiosity and 14% said they did it just for fun. Less than 4% scanned it because the related information appeared to be useful.
“The ease with which such an attack can be mounted against current smartphones is particularly concerning given the long patching cycle and potential for an attacker to gain elevated privileges on the device,” the researchers said.
“With or without the security specific controls, user awareness of new threats like QRishing will be critical as mobile devices become everpopular.”