Curiosity struck many who clicked on yesterday’s Super Bowl Coinbase ad. The floating QR codes reminded me of the Windows Flying Toasters screen saver, or the first Atari video game “Pong” released in 1972. Look up on Wikipedia to learn more:) Clickers discovered the ad linked to a Coinbase promo. But was this risky? Since the ads are prerecorded and vetted prior to release the likelihood of the ads being safe was extremely high. But you say, “what if hackers got into the live feed and substituted a phony QR code?” Possible. But as my colleague Roger Grimes, Knowbe4’s data-driven defense evangelist, posted on Spiceworks, it would have been far easier to substitute a simple easy to remember (rogue or compromised URL) to get maximum victims due to the demographics of the game. QR code phishing is still a thing. Many local police departments are reporting parking lot QR phishing scams. Super Bowl ad spots cost about six million dollars per 30 seconds this year. It would take a well-funded, well-played scam to pay off for the attackers. It’s within the realm of possibility considering many nation states have already attacked live on-air state sponsored TV shows in some countries. The larger issue with the popularity of QR codes is that it’s a shoot and click way to transport you to a phony destination. See our Feb 7, 2022, blog post on QRCrime by Knowbe4 security awareness advocate Javvad Malik. QR Codes in the Time of Cybercrime
Android and iPhone native camera apps do show a destination URL with a message to tap here to proceed to the website. At least, there is the option for security aware users to inspect the destination web site. The worry about Coinbase popularizing the QR code is that many users will blindly proceed with implicit trust. Will this lead to more QR code scams?