In what seemed to be a perpetual tribute to millennials this year, brands of all industries put on their Sunday best for Super Bowl Sunday, hoping to go viral.
There are several front runners for best commercial, including fun ones from Uber Eats and Turbo Tax, as well as my personal favorite: the return of Dr. Evil promoting General Motors. But it is the Coinbase commercial that is being talked about the most in security circles—and for all the wrong reasons.
The Coinbase ad featured a QR code that changed colors as it moved all over the screen, a callback to DVD screensavers (or for Office fans, the cold open of Launch Party). Once scanned, the QR code led viewers to an offer: $15 in BTC for new customers who join Coinbase by February 15, 2022, or a $3 million giveaway for existing customers.
The commercial proved immensely popular with viewers, so much so that it sent the Coinbase app crashing almost immediately. While the advertising agency behind the commercial had to be ecstatic about the response, security professionals everywhere were cringing, and with good reason.
First, the logic behind the commercial reinforced one of the key behaviors security professionals warn about, blindly clicking. We all know by now that you should never click on a link you aren’t 100% sure about and scanning a floating QR code is the same thing.
Nobody viewing the commercial knew where the QR code went until the Coinbase logo appeared at the very end, yet many curious viewers still scanned it. And even though some Android and iOS devices offer preview links when scanning QR codes, users don’t know where they’re truly going until they click, and the destination for “mystery links” is usually a place they don’t want themselves, their computers or information to be.
Second, it’s easy for scammers to imitate a legitimate site with a malicious one, and to use QR codes to trick users into visiting it. Then, the imposter site can be used for phishing, data theft and other malicious purposes. If you imagine an imposter site mimicking Coinbase, you can understand the type of personal and financial information being entered under the pretense of a promotional offer.
“Many individuals are not aware that [QR] codes are being spoofed by cybercriminals and woven with malware or malicious URLs in hopes of opening the door to sensitive data,” said Lisa Plaggemier, Interim Executive Director of the National Cybersecurity Alliance. “Yet, for all of the talk about how the negative impacts of the Coinbase ad from a cyber perspective, the ad also stands to do a bit of good as well by raising the profile of the QR code security conversation in a way that it frankly hasn’t been yet.”
QR codes have made somewhat of a comeback since COVID-19, especially in the restaurant industry, and the FBI recently released an alert (Alert I-011822-PSA) to raise public awareness of malicious QR codes being used by cyber criminals to steal victim funds that echoes the concerns raised by the Coinbase commercial.
Oh, and if you’re wondering how many people scanned the ad when it aired… reportedly more than 20 million.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.