Advertising for cryptocurrency services got a lot of attention during Sunday’s Super Bowl, but an ad for Coinbase Inc. managed to crash their website and raise security concerns.
Companies advertising cryptocurrency-related services during the Super Bowl included FTX trading Ltd., EToro and Coinbase, with all three seeing surges in app popularity following their ads, according to The Block. But Coinbase’s bouncing QR code gained most of the attention.
The ad showed nothing more than a bouncing QR code for most of its 60 seconds with background music, reminiscent of a bouncing DVD logo seen years ago with DVD players. The ad itself is reported to have cost the company $14 million.
When viewers scanned then followed the QR code link, they were shown a page that offered them $15 in free bitcoin for signing up along with a $3 million giveaway that customers could enter. The ad and related promotion were highly successful with Coinbase’s app surging to the top of Apple Inc.’s App Store. That traffic, however, also caused Coinbase’s website to crash briefly.
The ad’s success aside, the use of a QR code in an ad has raised security concerns, particularly given that the ad didn’t disclose what the product being advertised was until the very end. The problem is that seemingly millions of Americans have scanned a QR code without knowing what the code leads to and could do so again.
A quick reminder: Please do *not* scan QR codes that you randomly happen to see. It’s an easy way to get your phone hacked and/or for attackers to get data (such as financial information or logins) from you.
— wells (oakland enby) (@WellsLucasSanto) February 14, 2022
Concerns about scanning random QR codes are not new. The U.S. Federal Bureau of Investigation issued a warning in January that cybercriminals are tampering with QR codes to point victims to malicious sites that steal login and financial information.
“The real risk in this situation is if someone edits the commercial and adds a malicious QR code to it, especially on social media platforms,” Hank Schless, senior manager, Security Solutions at endpoint-to-cloud security company Lookout Inc., told SiliconANGLE.
“People will repost Super Bowl ads for weeks after the game itself, so an attacker could easily change the QR code,” Schless explained. “The ad could be reposted across social media apps and crypto forums to get people to visit a malicious webpage.”
Schless noted that the ad highlights the willingness of consumers to engage with QR codes. “The codes are no longer mysterious images you scan, but have become a legitimate way to drive traffic to websites and apps,” he said. “As these codes have become more normalized, people scan them without thinking as much and trust that their destinations are secure.”