FBI issues warning on malicious QR codes and tips on how to avoid them

If you have a smartphone, you may be tempted on a regular basis to use it to access QR codes. The FBI has started offering some stern advice about that.

Surge in malicious QR codes sparks FBI alert

QR codes have become a go-to staple for contactless transactions of all sorts during the pandemic, and the FBI is warning cybercriminals are capitalizing on their lax security to steal data and money, and drop malware.

Menus, event ticket sales, quick site access – QR codes have become a common way to interact as a result of the Covid-19 pandemic. But the smart little matrix bar codes are easily tampered with and can be used to direct victims to malicious sites, the FBI warned in an alert.

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants, and have gained in popularity over the pandemic as contactless interactions have become the norm. Simply navigating a smartphone camera over the image allows the device’s QR translator – built into most mobile phones – to “read” the code and open a corresponding website.

A victim scans what they think to be a legitimate code, but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the FBI alert explained. “Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

The FBI said it has also observed threat actors using malicious QR codes to download malware giving them access to a victim’s device, where they then accessed financial data to steal money. Cybercriminals are also swapping out genuine QR codes for their own, intercepting payments, collecting cash and data, the FBI added.

QR code abuse increases

Last April, Ivanti conducted a survey which found 57 percent of consumers in an international sample increased QR code usage following the March 2020 pandemic onset. Worryingly, 87 percent of respondents told Ivanti they felt secure carrying out financial transactions following QR codes. The evidence suggests that user security confidence in QR codes is misplaced.

Last summer the Better Business Bureau issued an alert that scammers were increasingly abusing QR codes in innovative ways; one elaborate scheme started with a malicious QR code and ended with sending victims to gas stations to use Bitcoin ATMs.

Purandar Das, co-founder and CEO at Sotero, said a rise in QR abuse was almost inevitable. “Every technological advance that is a legitimate opportunity to simplify user interaction is coopted by the criminals,” Das explained. “QR codes have become increasingly popular as a way to direct consumers to business website and applications. They have been become ubiquitous in the restaurant industry due to the pandemic and the desire to not have to pass around paper menus. There are just so many opportunities to trick consumers into providing information. The cat-and-mouse game continues.”

FBI QR code tips

The FBI offers several tips to avoid the next QR code scam:

Double-check the URL of any site pulled up with a QR code to make sure it’s legitimate: “A malicious domain name may be similar to the intended URL but with typos or a misplaced letter,” the FBI added.

Before engaging with a QR code, check to make sure the code itself hasn’t been tampered with. The FBI suggests looking for evidence a sticker has been slapped over the original code.

The alert also cautions users against downloading an app from a QR code rather than the application store, which has more security protections.

Do not download a QR code scanner app: The FBI said, “this increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.”

Don’t make payments to a site accessed by a QR code, if possible.

And, if you receive a QR code that you believe to be from someone you know, reach out to the person through a known number or address to verify that the code is truly from them.

 

yogaesoteric
May 30, 2022

 

 

Also available in: Français

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More