Social Experiments With QR Codes
QR Codes are nothing new and phishing with QR Codes (called “quishing”) is on the rise. While I have no interest in using phishing for evil, I did think it would be fun setup a little experiment to see who, when, and where a QR code gets scanned. So I setup a page on this site, while not hard to find, I have removed direct links to the page. It is a simple awareness page designed to spread awareness and warn users of scanning unknown QR codes (sample shown below).
There are several ways to flag and track this type of behavior, using paid advertising services, paid static or dynamic QR codes, and similar services. I’m not particularly interested in the advertising components and detailed analytics so I used a combination of free services that get the same basic effect, an alert that triggers when a QR code is scanned. I wanted to alert on the scan of the QR code, but because the page itself is not hard to find if you know where to look, I did not want to alert on page views alone. Instead, I created a redirect Canary Token (https://canarytokens.org) to redirect to the page (shown below).
Once having the redirect in place, I wanted to avoid having the “canarytoken” top level domain (TLD) easily viewed when scanning the QR code. To prevent this, I used a URL shortening service to obfuscate the Canary Token TLD on initial scan. Then I created a static QR code using the shortened URL and it was time to order stickers.
Using my favorite sticker service, I placed an order for a page of stickers with the QR code. Within 24 hours of ordering (meaning my order hadn’t even shipped yet) I received my first notification that my canary token triggered! While this code be standard procedure to verify the details of the QR code before printing the stickers, it also could have been just a curious employee.
At time of this writing the stickers haven’t even come in yet and data from the social experiment is already coming in. I’ll periodically update this post more stories resulting from this experiment.
