Mon | Feb 14, 2022 | 4:19 PM PST

It's the Monday after Super Bowl Sunday, which means everyone is sharing their favorite commercials from the big game. Every ad felt like a short film, packed with celebrities and crazy CGI—except for one that stood out in a unique way.

For 60 seconds, a colorful QR code bounced around a black screen like the old DVD player logo would. Once scanned, the QR code redirected users to Coinbase's official website. You can watch the ad below:

Coinbase is one of the largest cryptocurrency exchange platforms in the world. Following the commercial, the company announced it would be giving $15 to anyone who signed up in the next two days:

However, the ad was apparently so popular that the traffic from people scanning the QR code crashed the Coinbase website. Though the site is back up and running, the incident has sparked discussions on QR codes within the cybersecurity community.

Concerns over QR code use

QR codes have become incredibly popular over the last few years, with organizations adopting its use in a variety of ways. Most restaurants you sit down at now have QR codes on the table for digital access to the menu.

But as its popularity grew, so did the security concerns. Hank Schless, a senior manager of security solutions at Lookout, shared his thoughts on the QR ad during the Super Bowl:

"The real risk in this situation is if someone edits the commercial and adds a malicious QR code to it, especially on social media platforms.

People will repost Super Bowl ads for weeks after the game itself, so an attacker could easily change the QR code. The ad could be reposted across social media apps and crypto forums to get people to visit a malicious webpage. That page could be a fake Coinbase login site. If this was a success, the victim could end up having their entire account drained. Attackers could also build that page to deliver a trojanized version of a crypto app.

What this ad really highlighted is the willingness of consumers to engage with QR codes. The codes are no longer mysterious images you scan, but have become a legitimate way to drive traffic to websites and apps. As these codes have become more normalized, people scan them without thinking as much and trust that their destinations are secure. 

In reality, a threat actor could just as easily build a fake login page for any website and distribute the URL via QR codes with hopes of tricking individuals into sharing their login credentials for that website. This all exemplifies the implicit trust we have in our mobile devices, and threat actors prey on that trust. In order to keep safe, it's necessary to have a mobile security app installed on your device that can mitigate the risk of phishing attacks."

The ad aired just one month after a public service announcement from the FBI, which aimed to raise awareness of malicious QR codes and how cybercriminals have been tampering with them to steal personal information from users.

The QR code also sparked tons of comments on Twitter. Some were legitimately concerned about the security of the whole thing, while others just wanted to make some jokes:

The ad also spawned some creative memes:

What was your reaction to seeing the Coinbase QR code commercial? Share it with us on Twitter @SecureWorld!