QR codes a powerful new phishing weapon in hands of Pyongyang cyberspies

Friday 9th January 2026 16:17 GMT VoiceOfTruth

And the USA does the same sort of thing

The FBI kettle calls $bogeyman black.

0 11 Reply
Friday 9th January 2026 16:32 GMT Dr Paul Taylor

QR codes are an obvious security hole

why does anyone scan something they can't read themselves?

15 0 Reply
1. Friday 9th January 2026 16:52 GMT jpennycook
  
  Re: QR codes are an obvious security hole
  
  Even my employer sometimes likes to email QR codes or put them on the Intranet, which is really frustrating.
  
  Anyway, the QR code scanner on my phone just shows the URL or whatever is encoded there - I have to press more buttons if I actually want to open it in my browser.
  
  8 0 Reply
  1. Friday 9th January 2026 23:43 GMT that one in the corner
    
    Re: QR codes are an obvious security hole
    
    >> scan the QR code and you're dumped into an attacker-controlled portal
    
    Shitty QR scanner apps that "make things easy": people have been putting out damaging QR codes for years! "We told them to disable CD autoplay, now we have to tell them..."
    
    > QR code scanner on my phone just shows the URL
    
    Which app is that?
    
    A good recommendation can save hours of frustration in the app store.
    
    3 0 Reply
    1. Saturday 10th January 2026 23:58 GMT David 132
      
      Re: QR codes are an obvious security hole
      
      The built-in one on iOS, for a start. Just pops up the URL overlaid on the camera image, and asks if I want to open it with <default browser>.
      
      I have zero experience of Android since about 2018; does it not have the same behaviour?
      
      3 0 Reply
      1. Monday 12th January 2026 00:29 GMT Anonymous Coward
        
        Re: QR codes are an obvious security hole
        
        Using the iOS shortcut app you can quickly set up a scanner that tells you the whole URL instead of going there, 'scan QR code' is actually one of the program steps and it then sticks it in whatever variable you provide.
        
        When I have time to have a look at the whole shortcut thing (it's one of these "let's make it easy for noobs" things that results it being illogical for people who have written code) I'll probably cook up a flow that scans a QR code, shows it in full and then looks it up if you actually give permission. In other words, it'll do what iOS as well as Android should do by default IMHO.
        
        1 0 Reply
    2. Sunday 11th January 2026 12:12 GMT Dan 55
      
      Re: QR codes are an obvious security hole
      
      This one shows the URL on Android:
      
      F-Droid: QR & Barcode Scanner
      
      0 0 Reply
2. Saturday 10th January 2026 02:10 GMT DrewPH
  
  Re: QR codes are an obvious security hole
  
  This! A QR code is an obfuscated link. How QR codes manage to still exist is a testament to human stupidity. I've never, ever used one and I never, ever will.
  
  5 0 Reply
  1. Monday 12th January 2026 00:31 GMT Anonymous Coward
    
    Re: QR codes are an obvious security hole
    
    You're going to have fun in most modern car parks then, I fear. But, to be fair, there you basically /start/ with criminals running a racket in many cases..
    
    4 0 Reply
3. Saturday 10th January 2026 18:53 GMT Anonymous Coward
  
  Re: QR codes are an obvious security hole
  
  Well said. The same goes for those shortened URL's. Who knows where they will take you?
  
  some years ago now, I saw a work colleague crying her eyes out when a short URL took her to a porn page. We called IT Security who looked at it. If she had clicked on a full URL then she would have been fired. She'd received an email from a customer whose system had been hacked. She was given emotional support instead of the sack.
  
  DO NOT TRUST THEM.
  
  7 0 Reply
  1. Monday 12th January 2026 00:40 GMT Anonymous Coward
    
    Re: QR codes are an obvious security hole
    
    We have a thing called 'Hoxhunt' running. It generates fake spam and phishing messages that are quite good and it has a gaming element to it so our personnel is getting quite good at spotting questionable email (and now rather report something they don't trust instead of clicking on links).
    
    From what I hear from the admin we see on average at least on breach a week of a supplier now, most of them small setups with not much in the way IT skills or resources :(.
    
    0 0 Reply
Friday 9th January 2026 17:43 GMT Pascal Monett

Thank you, Microsoft

Another wonderful idea that ends up being a threat portal for your abysmal operating system. I seem to recall that, from day one, somebody already suggested that fake BSODs with malware-tailored QRcodes could be used to infiltrate a user's system.

Honestly, Microsoft, the only reason you are still alive is because Bill Gates had the genius to flood schools with early versions of Windows so as to hook kids on it, kids who later became job seekers who needed to proficient in . . Windows (because that saved on training costs and because "managers" didn't know anything else).

The day will come when Linux reigns supreme. I know I won't see it, but my daughter's children might. Okay, shush. Don't go detroying my dream.

9 2 Reply
1. Saturday 10th January 2026 08:39 GMT Alumoi
  
  Re: Thank you, Microsoft
  
  The first genius idea was allowing software piracy for Windows and Office. The second one was forcing Windows on every computer sold. Yours comes in third, sorry. :)
  
  6 1 Reply
Friday 9th January 2026 17:58 GMT Claptrap314

Overheard

"How many times have I told you not to click on links in random emails?"

"I didn't click a link! Really!"

"What's that?"

"It's a QR code. That's not a link!"

<gunshot>

11 0 Reply
1. Sunday 11th January 2026 14:56 GMT Alumoi
  
  Re: Overheard
  
  A QR code is not a link. The same as a PIN is not a password.
  
  1 2 Reply
Friday 9th January 2026 18:31 GMT Claptrap314

QR code generators, too...

At my last company, the sales team was using a QR code generator. I found out about it, and ran it through a qr code reader. Yep, short-coded to some server in German.

What I don't get is that scanners don't catch these things. Okay, so there is an image file. Decoding the thing takes work. What exactly am I paying you for?

9 0 Reply
Friday 9th January 2026 20:20 GMT Anonymous Coward

QR codes on parking meters

My favourite QR code attack is when QR code stickers are put on parking meters redirecting people to scam parking payment sites. So easy to do, so easy to make money.

7 0 Reply
1. Friday 9th January 2026 23:56 GMT that one in the corner
  
  Re: QR codes on parking meters
  
  > when QR code stickers are put on parking meters
  
  AC, eh. Why do I suspect that you edited that sentence, after you caught yourself writing:
  
  > when I put QR code stickers on parking meters
  
  4 2 Reply
  1. Monday 12th January 2026 06:59 GMT Anonymous Coward
    
    Re: QR codes on parking meters
    
    Not being the initial AC, but some of us have nasty and devious minds that will more or less automatically find ways to subvert things even if we would never use them. So payment QR codes an an obvious avenue
    
    2 0 Reply
    1. Monday 12th January 2026 09:28 GMT Richard 12
      
      Re: QR codes on parking meters
      
      Aside from that, this exact scam has been in the news multiple times.
      
      0 0 Reply
Friday 9th January 2026 23:53 GMT that one in the corner

email filtering can't inspect a graphic QR code

Why the -bleeeep- not?

Just pass the images into a QR parser and see what comes out. We're not asking for an in-depth artistic review of the stock photo being used, only that a bog standard library function be used.

9 0 Reply
1. Sunday 11th January 2026 01:19 GMT david 12
  
  Re: email filtering can't inspect a graphic QR code
  
  Exactly. That's what AI Image recognition is for!
  
  I for one welcome our NK AI overlords
  
  0 0 Reply
  1. Monday 12th January 2026 09:29 GMT Richard 12
    
    Re: email filtering can't inspect a graphic QR code
    
    The entire 'ing point of a QR code is that it's easy for an algorithm to detect and extract from an image.
    
    0 0 Reply
Sunday 11th January 2026 06:34 GMT Anonymous Coward

I strongly recommend not using QR codes at work

I was strongly told to get on with it.

QR codes for all.

2 0 Reply