[Updated: Nov 17, 2022]
Almost exactly a year ago, I wrote an article about why QR codes aren’t inherently dangerous. That’s still true. However, there’s a tricky new scam that will basically hold any QR codes you generate on their site for ransom.
QR Codes: Let’s Review
As I explained in the previous article, a QR code (like the one in the image above) is just a graphical web link. Okay, QR codes can be used for other things, too, like WiFi passwords, contact information and more. But they’re mostly used to direct people with smartphones to specific websites. You scan the code with the camera app on your smartphone, and you’re given the option to click the image and go to the website. It’s undeniably handy. It basically lets you click links in the real world.
Under the covers, the QR code just uses all those little squares to encode some text – in this case, an HTTP/HTTPS link. But your human brain can’t interpret these codes, meaning that you have no idea what that hyperlink is. Regular hyperlinks can be similarly misleading. For example, this link, https://amazon.com, actually points to google.com. (If you hover your mouse over the link, you can see this.) With QR codes, your camera app should give you some sort of heads up as to where the link will take you, though it often doesn’t. Even if it did, that link could be a “shortened” URL, like those created by bitly or owly or a dozen others – meaning that even if you could see that link text, you wouldn’t know where you would eventually be redirected.
Taking the Scenic Route
Well, it turns out there’s another really sneaky way to use these URL shorteners. Let me illustrate with a story. Let’s say you’re creating a new business card and you want it to look fancy and hip by adding a QR code that will take people to your website. So you search Google for a “free QR code generator” and click the top search result. This site can create all sorts of cool-looking QR codes, with fancy borders, your logo in the middle, different colors, and more. You generate the code, download the image, and put it on your business card. Maybe you even checked it first, to make sure it works. And it worked.
You order 1000 cards and start handing them out all over the place. The QR code is working great for a while, but then suddenly fails. About that time, you get an email from the QR code generating site saying that your free trial has expired and if you want the link to work again, you need to pay money. Turns out, that QR code didn’t go to your website directly – it went via a redirect link which was controlled by the site that generated the QR code. You now have 1000 business cards that are worthless. Worse yet, many of those cards are in the the hands of other people who will not be happy when that QR code fails. Basically, your cards are now being held for ransom. I’m sure the terms of this agreement were somewhere on that website, but I know it wasn’t obvious (I’ve looked).
Exposing & Avoiding the Scam
So I tried this out, just to see it for myself, and to find the best way to avoid being scammed. I went to this site (I’m not going to mention it by name) and entered a link to this article on QR code scams:
And it generated the following QR code (which I had to obtain using a screenshot – you couldn’t directly download it or right-click and save the image).
See all those dots? It makes sense that there’s a lot of dots – because there was a lot of text to encode. That link was long. But when I went to download this code, I was prompted to sign up for a free account, with a 14-day free trial of pro benefits. That should have been my first clue, but hey, I’m about to get my code, right? I don’t care once I have the code. They didn’t ask for a credit card or anything. But when I go through all the stupid sign-up crap (“what industry are you in?”) and had to regenerate my code, I got this new one:
Looks different, doesn’t it? It is. It doesn’t take me to the link I asked for. Instead, it takes me to:
That’s a shortened link. For a little while, that link will direct to the one above. I have no idea how long it will continue to work, but 14 days might be a good guess.
UPDATE (Nov 17): Yep. After 14 days, the code stopped working. When you click that link now, you’ll get the message at the left. When I log into my account, I see the message at the right.
I used an online tool from zxing.org to decode these images. If you ever run across a QR code that you don’t know if you can trust, you can take a picture of it and upload it to this site to see where it goes. If you find a shortened URL, you can test it with another site called CheckShortURL.com. It will actually try to show you an image of what the final website will look like without you having to go there yourself. You can also check the URL for known malicious activity by posting it to VirusTotal’s link verifier.
But the real scam here is that this site will insert itself as a middleman on all the links you generate, and eventually block access to the final destination until you pay money.
How to Generate a Clean QR Code
I’d be remiss if I didn’t give you a method for generating a QR code that actually goes directly to the site you want. I’ve looked for trustworthy QR code generator websites and they frankly all look shady to me. However, I did find out that the DuckDuckGo search engine will generate a QR code for you – just enter “qr” followed by the URL (for example, “qr https://fdsd.me/blog”). I would trust them to keep the codes clean, but you can (and should) verify them with zxing.org.
Personally, I ended up buying a Mac app called QR Factory. It wasn’t cheap, but it creates really nice-looking codes and has tons of features. If you’re up for a little command-line adventure, you can always try this Python library.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!