Myth Busting: Why 'Innocent Clicks' Don't Exist in Cybersecurity

Picture this: You snag the last spot in a parking lot and find the QR code to pay on the lamppost directly in front of you. Score! You go to pay on the website, but wait…the page is full of ads and looks very suspicious. Phishing pages never fool you and you can spot a fake logo from a mile away! You close the suspicious page, find a payment machine in the parking lot and move on with your day. You know that innocent clicks don't exist in cybersecurity.

Myth: Visiting a potentially malicious site is harmless if you avoid entering data or clicking on any system prompts.

Reality: Visiting a link or scanning the QR code and loading that page on your phone may be enough for an attacker. Accessing unknown webpages on your computer or phone can open you up to digital fingerprinting, drive-by downloads and even zero-day vulnerabilities that can be used to run arbitrary code on your device.

Inescapable Links and QR Codes in the Wild

Most regular internet users have been exposed to some anti-phishing training pages that help you spot suspicious URLs and advise you against scanning QR codes. But in real life, you encounter many situations where you may receive URLs that seem legitimate (for example: a tax advice page at: www.irs.gov-system[.]com) through emails, SMS messages or shortened links from social media websites. More often, you may be forced to scan QR codes for restaurant menus, making payments, leaving reviews or even parking!

Even if you are confident about your phishing spotting skills, simply scanning and visiting strange links on your personal devices can be dangerous. Cyberattacks have become more sophisticated, and advanced attacks do not need any additional interactions from the user apart from the original scanning or visiting the link.

What Could Go Wrong?

One of the most severe attacks that can happen merely by visiting a website would be drive-by downloads. Attackers can download and install malicious software once a victim loads a webpage on a browser. Even if the user suspects phishing and closes the webpage, the downloads could have already been triggered silently and without consent. Typically, these sorts of attackers exploit vulnerabilities in the victim's browsers or their plug-ins, and outdated software.

Second, attackers can embed JavaScript in the website that is designed to take advantage of security flaws in the web browser. This can allow the attacker to run arbitrary code on the victim's device or break out of the browser's sandbox and conduct unauthorized access of the victim's files and other resources.

Finally, webpages can collect information from the victim's device to create a digital fingerprint. This information can include IP address, location, operating system metadata and browser metadata. This data could be sold to third parties for a variety of purposes, including tracking and targeted advertisements.

My Recommendations

1. Keep your device up to date on all the security patches and software updates.
2. Avoid clicking links or scanning unknown QR codes and try to navigate through search engines to get to the particular service you are trying to reach.
3. Examine the URL closely to identify common phishing patterns.
4. If you encounter shortened links, most services allow you to un-shorten their own URLs and print the original links for your inspection. These include:
   1. Bitly Link Checker
   2. Shortat Unshortener
5. If you must scan codes, inspect the URL to which it is redirecting you. Taking a picture of the QR code and using the Photos application on your phone can help you copy the link. You can use open source intelligence sites such as VirusTotal or PANW Test a Site to learn whether the URL is already known to be malicious.

Navigating to links and scanning unknown QR codes can lead to various security issues, even if you do not enter any personal information. We recommend that users avoid scanning or visiting unknown webpages and instead use search engines to navigate to the services that they need. Furthermore, users should always keep their browsers and operating systems up to date to ensure they remain protected. Next time you're at a parking lot or anywhere in public, avoid suspicious QR codes and links. Instead, find the legitimate application or website by looking up the service name on a search engine.

Additional Resources