According to BusinessInsider.com:

• “QR codes are a type of barcode, or scannable pattern, that contain various forms of data, like website links, account information, phone numbers, or even coupons.
• "QR codes are found everywhere from menus to social media to billboards but have picked up popularity during the pandemic for their contactless nature.

"To scan a QR code with your iPhone or Android, you'll want to use the QR code lens feature of your camera or download a QR code reader app.”

There are several incidents regarding the exploitation and misuse of QR codes. Various hackers and threat actors have used QR codes as an attack vector, including the American hacker, Jester. They converted their Twitter profile into a QR code, coding it to search the scanner’s phone for activity over various extremist platforms. If there was any extremist activity detected on the person’s phone, the code programmatically raised user privilege and stole information from their phone.

The threat actor used the combination of social engineering and the QR tech for a malicious purpose. Apart from that, there are several instances where threat actors abuse QR codes in various aspects as an attack vector.

1. Malware attacks

• Cybercriminals might embed malicious URLs in publicly present QR codes so that anyone who scans them gets infected by malware. At times merely visiting the website might trigger the downloading of malware silently in the background. Apart from that, they might also send phishing emails containing QR codes that again infect the user’s device with malware when scanned.

  The malware can then harm users in several different ways. It might open backdoors for more malware infections or silently steal the target’s information and send it to the cybercriminals. At times, these malware infections might even be ransomware attacks that would hold your information hostage for ransom.

3. Bugs in QR codes

At times it may also not be a threat actor working to exploit users. A mere bug within a QR code reader application. Hackers might use the bug to exploit cameras or sensors within phones or other devices. Threat actors might also exploit a bug or an issue within the legitimate URLs that the QR code links with.

The issue was that Heinz had not renewed their registration of the domain name. When the domain

4. Financial theft

QR codes have long since been an efficient manner of carrying out transactions and paying bills. Their use has grown exponentially during the covid-19 pandemic to promote “no-contact” communication and information exchange methods. QR codes are present at restaurants and even fuel stations for customers to pay. Within such public places, any threat actor can swap a legitimate QR code with a fake one so that the transactions go into their bank account.

Back in January, the FBI released this alert on how Cybercriminals Tampering with QR Codes to Steal Victim Funds, which offers tips on how to protect yourself:

• “Once you scan a QR code, check the URL to make sure it is the intended site and looks authentic. A malicious domain name may be similar to the intended URL but with typos or a misplaced letter.
• "Practice caution when entering login, personal, or financial information from a site navigated to from a QR code.
• "If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.
• "Do not download an app from a QR code. Use your phone's app store for a safer download.

• "If you receive an email stating a payment failed from a company you recently made a purchase with and the company states you can only complete the payment through a QR code, call the company to verify. Locate the company's phone number through a trusted site rather than a number provided in the email.
• "Do not download a QR code scanner app. This increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.
• "If you receive a QR code that you believe to be from someone you know, reach out to them through a known number or address to verify that the code is from them.
• "Avoid making payments through a site navigated to from a QR code. Instead, manually enter a known and trusted URL to complete the payment.”