You see QR codes just about everywhere these days. The square barcodes show up everywhere: real estate listings, TV ads and social media posts touting what look like great deals on must-have items. The convenience QR codes offer and the ubiquity of mobile devices have contributed greatly to the widespread use of these two-dimensional barcodes.
However, their popularity has also created fertile ground for malicious actors to spruce up their QR code malware toolkit to steal not only personal information but also hard-earned assets that are impossible to recover once lost. In fact, threats involving QR codes have become so rife and sly that the FBI has recently issued a warning about them.
Table of Contents
Common QR code scams and how they work
It’s important to note that malicious actors have invested a great deal of time and resources to making their QR code-enabled scams seem legitimate and useful, as illustrated by the following examples.
Scams in the physical realm
While cybercrime is often thought of as occurring entirely in the digital space, QR code-related threats are different in that they might partially take place in the physical realm.
Overlaid QR codes
A prime example of a QR code scam that relies on the physical realm is one that has malicious actors printing out QR code stickers and physically placing them over genuine ones. People generally assume that the signs or posters with QR codes in shops and public spaces are safe, and thus might be unaware that malicious actors could replace legitimate QR codes with fake ones as part of their fraudulent schemes.
This was the case in a scheme involving payments for bike-sharing in China. Malicious actors reportedly replaced the QR codes that users needed to scan to pay for the use of the bikes before they could be unlocked. As a result, the payments of unsuspecting users were transferred to the malicious actors’ accounts, without the users’ having been able to unlock the bikes for their use.
Just recently, law enforcement in several US cities issued warnings about a similar scheme, where malicious actors had stuck their fraudulent QR codes onto legitimate ones on parking meters to trick users into entering their payment credentials in their phishing websites.
Another example of a QR code scam that takes advantage of the physical realm is a scheme that was carried out in a parking lot in the Netherlands and that led to the theft of thousands of euros. Malicious actors reportedly approached individuals to pay the parking fee not through the designated machine in the parking lot purportedly because it was broken. Wearing professional-looking attire to look more credible, the fraudsters coaxed their victims into scanning the QR code they had instead, thereby diverting the payments to their account.
Scams in the digital space
QR code scams don’t pose threats only in the physical realm, as some QR code-related scams practically take place entirely in the digital space.
QR codes in phishing emails
Scammers have been known to incorporate QR codes into their phishing attacks, a practice known as “quishing.” They do this mainly so that they could bypass traditional security solutions that can flag malicious URLs when they appear in emails but not when they’re linked to (or hidden behind) QR codes.
In December 2021, a phishing campaign that used QR codes to steal the banking credentials of users in Germany were reported. In the campaign, malicious actors send an email impersonating a bank and asking the recipient to review and agree to changes in the bank’s privacy policy by scanning the QR code in the email. But the QR code links to a phishing site where the victim can unwittingly enter their banking credentials for the malicious actors to collect.
A quishing scheme to obtain Microsoft 365 credentials was also reported late last year. This campaign begins with an email coming from a previously compromised email account and containing a voicemail message that the recipient can supposedly listen to by scanning the QR code in the email. The QR code, however, leads to a bogus login page designed to steal Microsoft 365 credentials.
Malicious actors can use QR codes to subscribe unsuspecting users to premium services and steal the funds charged to these users monthly. This scheme was used in the Android trojan campaign known as GriftHorse, which had victimized more than 10 million users around the world by September 2021.
Scammers may use QR codes to dupe users into downloading counterfeit cryptocurrency wallets by promising that, in doing so, they would get rewards, which are actually fake tokens. Another kind of bait involves using QR codes to download fake cryptocurrency wallets that promise reductions in miner fees.
Another related scam is the use of QR codes to obtain unauthorized approval of tokens, which are used to faciliate the transfer of assets from one cryptocurrency wallet to another. Incident reports have cited this scheme as the primary reason for loss of significant funds.
Also cryptocurrency-related are QR code scams involving MetaMask, a cryptocurrency wallet for interacting with the Ethereum blockchain. Malicious actors can hack into MetaMask extension accounts through QR codes to transfer funds without the account owner’s private keys.
QR code and barcode scanner apps
In mid-2021, QR code and barcode scanner apps that linked to the Anatsa malware appeared on Google Play. (They have since been taken down from the store.) Infection with such an app starts with forcing the user to update the app upon installation, apparently so that the user can continue to use it.
After the successful download of the supposed update, the app prompts the user to allow the installation of apps from unknown sources. Since the user was previously made to believe that the update was necessary for the app to work properly, the user grants the permission. Once the update is done, the malware runs on the device and immediately asks the user to grant accessibility service privileges.
Malicious actors gain full control over the device and can perform actions on the user’s behalf after the user enables accessibility service privileges. At this point, the malware-infested app runs and operates as a legitimate app. The stage has thus been set for malicious actors to steal login credentials and gain access to all the information that is shown on the unsuspecting user’s device.
QR code creator apps
Trojanized apps can masquerade as QR code creator apps. In a scheme perpetrated by the malicious actor group Brunhilda, such an app asks the user to register. Once registration is done and it obtains detailed device information, the app downloads and installs a trojan payload, which could carry out theft of sensitive personal information such as login credentials or bank account details.
How to stay safe when using QR code
- First, you need a good QR Code Generator that’s clear and don’t store your information
- It’s important to recognize a QR code, but it’s also a good idea to avoid scanning any unknown QR codes and instead treat them like a shady links that you’d rather not click to prevent being scammed.
- If you notice any strange activity, contact your bank immediately and change your password.
- QR codes frequently include truncated URLs, making it harder to track down the original site. In this instance, you can use an authentic QR scanner (read the App Store reviews and ratings before installing it) to display the URL before allowing redirection to the link.
- If you’re using or considering using a QR code scanner, make sure you have an app with built-in filters.
- You can install and update security software that blocks harmful websites across all of your devices.
- If you or a close family has been a victim of such a scam, you should contact the police and file a report with the cyber cell or file an online complaint with the cybercrime.gov.in portal. Although there is a slim probability of receiving compensation, it would at least deter thieves from using similar strategies in the future.
