It's the Monday after Super Bowl Sunday, which means everyone is sharing their favorite commercials from the big game. Every ad felt like a short film, packed with celebrities and crazy CGI—except for one that stood out in a unique way.
For 60 seconds, a colorful QR code bounced around a black screen like the old DVD player logo would. Once scanned, the QR code redirected users to Coinbase's official website. You can watch the ad below:
Coinbase is one of the largest cryptocurrency exchange platforms in the world. Following the commercial, the company announced it would be giving $15 to anyone who signed up in the next two days:
ICYMI 👀
— Coinbase (@coinbase) February 14, 2022
Now that we have your attention we'd like to announce that we're giving away $15 in BTC to anyone who joins Coinbase by 2/15.
Click below for more info and RT to tell your friends!
Sign up and see terms here → https://t.co/fKHisXZJJc pic.twitter.com/SDWUup2Ql5
However, the ad was apparently so popular that the traffic from people scanning the QR code crashed the Coinbase website. Though the site is back up and running, the incident has sparked discussions on QR codes within the cybersecurity community.
Concerns over QR code use
QR codes have become incredibly popular over the last few years, with organizations adopting its use in a variety of ways. Most restaurants you sit down at now have QR codes on the table for digital access to the menu.
But as its popularity grew, so did the security concerns. Hank Schless, a senior manager of security solutions at Lookout, shared his thoughts on the QR ad during the Super Bowl:
"The real risk in this situation is if someone edits the commercial and adds a malicious QR code to it, especially on social media platforms.
People will repost Super Bowl ads for weeks after the game itself, so an attacker could easily change the QR code. The ad could be reposted across social media apps and crypto forums to get people to visit a malicious webpage. That page could be a fake Coinbase login site. If this was a success, the victim could end up having their entire account drained. Attackers could also build that page to deliver a trojanized version of a crypto app.
What this ad really highlighted is the willingness of consumers to engage with QR codes. The codes are no longer mysterious images you scan, but have become a legitimate way to drive traffic to websites and apps. As these codes have become more normalized, people scan them without thinking as much and trust that their destinations are secure.
In reality, a threat actor could just as easily build a fake login page for any website and distribute the URL via QR codes with hopes of tricking individuals into sharing their login credentials for that website. This all exemplifies the implicit trust we have in our mobile devices, and threat actors prey on that trust. In order to keep safe, it's necessary to have a mobile security app installed on your device that can mitigate the risk of phishing attacks."
The ad aired just one month after a public service announcement from the FBI, which aimed to raise awareness of malicious QR codes and how cybercriminals have been tampering with them to steal personal information from users.
The QR code also sparked tons of comments on Twitter. Some were legitimately concerned about the security of the whole thing, while others just wanted to make some jokes:
Scanning an unidentified QR code that bounces across your screen during the Super Bowl is like going around at the end of a party finishing all the half empty drinks. You can do it, but you'll regret it. And you'll get a lip fungus. But for your computer. It's a whole thing.
— Evan Greer (@evan_greer) February 14, 2022
5 years from now, news will come out that Coinbase's QR code was the source of the biggest data breach in US history.
— Aaron Parnas (@AaronParnas) February 14, 2022
Coinbase just spent $14 million for a color-changing QR code to bounce around on the screen for 30-seconds during the Super Bowl…
— Joe Pompliano (@JoePompliano) February 14, 2022
And the website crashed.
Raise your hand if a QR code flashed around your tv for a minute or so and the idea to scan it not once crossed your mind as you wondered what a waste of money for this company. 🙋♀️
— Juliette Kayyem (@juliettekayyem) February 14, 2022
The ad also spawned some creative memes:
InfoSec twitter sees a QR code pic.twitter.com/aqSyJH8ydT
— Ian Anderson (@ian_infosec) February 14, 2022
Coinbase paying $3 million to put a qr code on a superbowl ad that leads to a 404 error pic.twitter.com/SsTDIdbdCj
— ₿rad Chadsworth (@Chad_Capital) February 14, 2022
"...but with a QR code that leads to your website." pic.twitter.com/xV8dsws9nl
— Ryan Durr (@rDurrty) February 14, 2022
What was your reaction to seeing the Coinbase QR code commercial? Share it with us on Twitter @SecureWorld!