top of page
Search

Hacking with QR Codes

  • Writer: Christopher Essien
    Christopher Essien
  • Mar 21
  • 2 min read

Introduction

QR codes are everywhere, from restaurant menus to payment systems. But did you know that hackers can use them to trick people into visiting malicious websites? In this blog, we'll explore how attackers exploit QR codes, how you can generate your own QR codes using qrencode, and how to analyze them for security risks.

"it's just a qr code"
"it's just a qr code"

How Hackers Use QR Codes for Attacks

Hackers can easily disguise malicious links inside QR codes, making them a serious security risk. Some common attacks include:

  1. Phishing Attacks – A hacker generates a QR code that leads to a fake login page to steal your credentials.

  2. Malware Distribution – A QR code can redirect you to a website that automatically downloads malware onto your device.

  3. Fake Payments – Attackers replace legitimate QR codes with their own, stealing money from unsuspecting victims.

  4. Data Collection – Some QR codes track users' devices and collect sensitive information without their knowledge.

Installing qrencode on Kali Linux

To generate your own QR codes, we will use qrencode, a simple command-line tool available on Kali Linux. If it’s not already installed, run:

apt install qrencode
apt install qrencode

Once installed, you can generate a QR code for any URL or text.


Creating a QR Code for This Blog

Let’s create a QR code that links directly to this blog post, making it easier for readers to access the content instantly. Run the following command:

"-o" signifies the output file.
"-o" signifies the output file.

This command generates a QR code image (blog.png) that, when scanned, takes users to this blog post.

To view the QR code, open it with any image viewer:

the qrcode
the qrcode

Extracting and Analyzing QR Codes

Instead of blindly scanning a QR code, you can extract the embedded link and analyze it safely.

Step 1: Decode the QR Code

Use zbarimg to extract the URL from a QR code without opening it:

It will display the hidden link, helping you decide whether it’s safe.

apt install zbar-tools
apt install zbar-tools

content of the qrcode
content of the qrcode

Step 2: Check the Link’s Safety

Before visiting a link, check it with VirusTotal:

  1. Go to https://www.virustotal.com

  2. Paste the extracted URL into the search bar

  3. Review the scan results to see if it’s flagged as malicious

"No security vendors flagged this URL as malicious" - VirusTotal
"No security vendors flagged this URL as malicious" - VirusTotal

Protecting Yourself from Malicious QR Codes

Here are a few simple ways to avoid falling for QR code scams:

  1. Always Preview the URL – Some QR scanners allow you to see the link before opening it.

  2. Use a Trusted Scanner – Avoid scanning QR codes with random apps; use security-focused ones instead.

  3. Verify Before Scanning – If a QR code looks tampered with or suspicious, avoid it.

  4. Be Wary of Shortened URLs – Attackers often use URL shorteners to disguise malicious links.

  5. Use Endpoint Protection – Keep your device secure with up-to-date antivirus software.


Conclusion

QR codes are incredibly useful, but they can also be dangerous if used maliciously. By learning how to generate, extract, and analyze QR codes, you can stay one step ahead of attackers. Always be cautious before scanning a QR code—what looks like a harmless link could be a gateway to a cyberattack.

Stay safe and hack responsibly!

 
 
 

Comments

  • Discord
  • LinkedIn
  • Instagram
  • X

© 2023 Tofa Security

Subscribe for Tofa Security Updates!

Thanks for submitting!

bottom of page