Coinbase Super Bowl ad and security risks of QR codes

With a typical audience of about 100 million U.S. viewers, the Super Bowl is the biggest event of the year for TV commercials. This year, advertisers spent $6.5 million for each 30-second airtime slot. The best ads this year include Coinbase, a large cryptocurrency exchange, that debuted a new and striking commercial during the Super Bowl LVI.

Coinbase's sixty-second commercial was unexpected and unique: a blank screen and QR code ricocheting against the sides of the frame while changing colors. Once scanned, the code redirected first-time users to Coinbase's promotional website and offered a limited-time promotion of $15 worth of free Bitcoin to new customers, as well as the chance to enter a three million dollar giveaway.

The ad was so popular among viewers that Coinbase's website crashed. The company's landing page had more than 20 million hits in one minute, and since the ad, Coinbase's app has shot up from 186th place to second for downloads in the App Store, according to several reports. And, among finance apps, Coinbase is number one.

Deemed a "success" by Coinbase, the ad also sparked a conversation in the cybersecurity community about the implications of using QR codes, especially when aired during a significant event to millions of viewers.

QR codes are a high-risk marketing gimmick, says Daniel Smith, Head of Research for Radware's Cyber Threat Intelligence division. "[It] put pressure on a [viewer] to lower their digital guard," Smith says. "While the initial offering might be legit, it provides opportunities for abuse the following day. Threat actors will target those who fear they missed out."

One of the risks is if someone edits the commercial and adds a malicious QR code to promote on social media platforms. People could repost the code for weeks after the game, says Hank Schless, Senior Manager, Security Solutions at Lookout. "A threat actor could just as easily build a fake login page for any website and distribute the URL via QR codes with hopes of tricking individuals into sharing their login credentials for that website. If this was a success, the victim could end up having their entire account drained. Attackers could also build that page to deliver a trojanized version of a crypto app," he explains.

As the adoption of QR codes will likely continue to increase this year, it will present several opportunities for cybercriminals, further creating risks across users who participate in the boom of cryptocurrencies, says Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows.

QR codes make transactions easier for cryptocurrency users, allowing users to scan a QR code for an account the user wishes to send money to, Morgan explains. "The crypto space, in general, can be considered risky, with the promise of rapid returns often prompting users to invest in crypto coins of little demonstrable value. It's likely that this year will see an increase in these types of social engineering campaigns, with may coincide with the use of fraudulent QR codes to direct users into making payments."

All in all, this ad highlighted the willingness of consumers to engage with QR codes. The codes are no longer mysterious images you scan, but have become a way to drive traffic to websites and apps, says Schless. "As these codes have become more normalized, people scan them without thinking and trust that their destinations are secure. Threat actors prey on that trust."

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.