The exploit
With the Covid pandemic, it became more and more usual to scan QR codes with the goal of accessing payment links or websites to get more information about prevention measure, etc. This opened a window for hackers to exploit this practice. QR codes themselves are not hackable, but the problem lays on what the QR code does. In general, the QR code has the goal to redirect you to a link that is set by its creator
So, this gives a chance to malicious actors to impersonate different entities or causes as I have setup for this example with the fake festival with free drinks. The really attack occurs when you access the link, as the hacker has full control of the website, he can steal your information/location or prompt you to make payments in behalve of a bank of other insitution.
Hackers can quickly insert a malicious URL with their own software inside a QR code, which when scanned could leak data from a mobile device. A malicious URL that leads to a phishing site and begs consumers to reveal their credentials might likewise be inserted into a QR code.
In a typical attack, a malicious QR code is posted in public, often hidden by a real QR code, and when unaware people scan the code, they are directed to a malicious website that may contain an exploit kit. This may result in additional device compromise or even a fake login page where user credentials are stolen. Basically, what brought you to this website.
You can learn more about strategies to mitigate this attack here.
Here are some interesting documentation, if you want to read more about this attack:
How attackers exploit QR Codes
4 ways scanning QR codes can expose you to security threats
QrlJacking
