Olympic Games, Burner Phones and QR Code Security

The Olympic and Paralympic Games represent the highest achievements in the world of sport and celebrate the hard work and perseverance of the participants. However, the Beijing 2022 games are taking center stage on a different type of persistent activity: cyber threats. A comment from Hank Schless, Senior Manager Security Solutions at Lookout.


The Federal Bureau of Investigation (FBI) has urged US athletes to leave their own smartphones at home and instead use temporary devices to guard against “malicious cyber activity.” Such “burner phones” are used more often than we think, and we’re not just talking about illegal activities here. Companies often ask their employees to use different devices when traveling to high-risk regions. As an alternative to using temporary devices, a global news company is currently providing its reporters in China with Lookout Mobile Endpoint Security to protect them.


While there are countless types of threats, one of the most common is phishing. Attackers have found QR codes to be one of the most effective ways to deliver malicious links. Whether a journalist is covering the Olympics or just going to a restaurant in San Francisco, they need to know that while QR codes enable seamless contactless interaction, they also make it easy for attackers to send malicious links. Once a credential has been stolen, it’s easy for attackers to steal both personal and corporate data.


QR codes are becoming a part of everyday life


In the past, attackers have relied on emailing phishing URLs to desktop users in hopes of stealing corporate data. They did so either by tricking users into installing malware or unknowingly sharing credentials. However, this changed with the proliferation of mobile devices. Almost any mobile application with messaging capabilities, such as social media, third-party messaging apps, games, and dating platforms, can be used for phishing attacks.


QR codes are used in popular apps like Snapchat and WhatsApp to log into accounts, share contact information, and transfer money. As businesses seek to create a contactless experience amid the pandemic, many have turned to QR codes. For example, it is common for restaurants to use QR codes to allow visitors to check the menu or make contactless payments.


At the Beijing Olympics, QR codes are an important part of everyday life. The Chinese have been using them for years. Currently, organizers are using QR codes at games for everything from access to training centers and hotel facilities to testing for COVID-19. While the codes make navigating the games easy and touchless, they also carry the risk of being misused for phishing purposes.




Almost finished!

Please confirm your email address!

Click on the link in the email we just sent you. Also check your spam folder and whitelist us.

More information about the newsletter.

A technically simple but highly effective phishing method


QR phishing attacks are on the rise because they require so little effort to be successful. For one, the codes are physical ads, which means that harmless code can easily be masked with malicious code that leads users to a malicious website. This makes it easy for cyber criminals to “view” the legitimate website that steals credentials or installs malware.


QR phishing is not only an effective way to target individuals, but it can also be used to steal company data. For example, an employee could scan a code that leads to a fake bank login page. Once the credentials are entered, an attacker can deploy software that scans the Internet for other websites with the employee’s username. If the employee uses the same credentials for multiple accounts, including at work, an attacker could gain access to the company’s infrastructure.


How to protect yourself from QR code phishing


Since the beginning of the pandemic, we have all become accustomed to using QR codes as part of our daily lives. In fact, the FBI only issued a warning about QR code phishing in January. To protect consumers and businesses, awareness is the first line of defense.


For the Olympians and journalists in Beijing, temporarily using another cellphone and being aware of the dangers of QR codes can reduce the risk of phishing attacks. Lookout recommends treating QR codes the same way you treat other phishing tactics like email scams and social engineering. It is always important to check the URL in the notification before clicking on the redirect. If the URL doesn’t look like a trusted source or is different from the well-known company’s URL, users should opt out of the notification.


But organizations also need to look at solutions that protect their users and data from all internet-based attacks, no matter where they are. Endpoint security solutions with a Phishing and Content Protection module protect data from threats such as malicious websites, spyware, adware, ransomware, phishing attacks and botnets. Such a solution only allows websites that are safe for users and blocks phishing and malicious content.