Hidden Scams in Malicious Scans: How to Use QR Codes Safely
As the world eagerly hopes for the Covid-19 pandemic to end, health experts point out that the virus will not go away for good. The practical approach, therefore, is for people to learn to live with it and do what they can to manage it. It is thus reasonable to expect that the digital lifestyle changes precipitated by the pandemic will persist indefinitely. One of the things that is likely to remain for the foreseeable future is the need for cashless and no-contact transactions. And many businesses have responded to this need through the use of quick response (QR) codes.
A QR code is a two-dimensional barcode that can store 7,089 digits or 4,296 characters. It can be scanned using a QR code scanner or reader, which is built into most mobile devices’ default cameras, to decipher the data that’s encoded into it. This is basically a string of text, and it’s typically a URL or link to a website or a merchant’s official account on a payment system. Scanning a QR code saves a user the trouble of typing out a long address in a web browser or manually entering a merchant’s username or number in a payment app, among other advantages.
Clearly, the convenience QR codes offer and the ubiquity of mobile devices have contributed greatly to the widespread use of these two-dimensional barcodes. However, their popularity has also created fertile ground for malicious actors to spruce up their QR code malware toolkit to steal not only personal information but also hard-earned assets that are impossible to recover once lost. In fact, threats involving QR codes have become so rife and sly that the FBI has recently issued a warning about them.
Malicious actors seek out ordinary, unsuspecting people who don’t know much, if at all, about QR code safety. So, how does one avert QR code scams? In this article, we discuss the various ways fraudsters use QR codes to deceive users and recommend tips on how users can protect themselves from QR code scams.
Common QR code scams and how they work
It’s important to note that malicious actors have invested a great deal of time and resources to making their QR code-enabled scams seem legitimate and useful, as illustrated by the following examples.
Scams in the physical realm
While cybercrime is often thought of as occurring entirely in the digital space, QR code-related threats are different in that they might partially take place in the physical realm.
Overlaid QR codes
A prime example of a QR code scam that relies on the physical realm is one that has malicious actors printing out QR code stickers and physically placing them over genuine ones. People generally assume that the signs or posters with QR codes in shops and public spaces are safe, and thus might be unaware that malicious actors could replace legitimate QR codes with fake ones as part of their fraudulent schemes.
This was the case in a scheme involving payments for bike sharing in China. Malicious actors reportedly replaced the QR codes that users needed to scan to pay for the use of the bikes before they could be unlocked. As a result, the payments of unsuspecting users were transferred to the malicious actors’ accounts, without the users’ having been able to unlock the bikes for their use.
Just recently, law enforcement in several US cities issued warnings about a similar scheme, where malicious actors had stuck their fraudulent QR codes onto legitimate ones on parking meters to trick users into entering their payment credentials in their phishing websites.
QR codes used in real-world social engineering
Another example of a QR code scam that takes advantage of the physical realm is a scheme that was carried out in a parking lot in the Netherlands and that led to the theft of thousands of euros. Malicious actors reportedly approached individuals to pay the parking fee not through the designated machine in the parking lot purportedly because it was broken. Wearing professional-looking attire to look more credible, the fraudsters coaxed their victims into scanning the QR code they had instead, thereby diverting the payments to their account.
Scams in the digital space
QR code scams don’t pose threats only in the physical realm, as some QR code-related scams practically take place entirely in the digital space.
QR codes in phishing emails
Scammers have been known to incorporate QR codes into their phishing attacks, a practice known as “quishing.” They do this mainly so that they could bypass traditional security solutions that can flag malicious URLs when they appear in emails but not when they’re linked to (or hidden behind) QR codes.
A quishing scheme to obtain Microsoft 365 credentials was also reported late last year. This campaign begins with an email coming from a previously compromised email account and containing a voicemail message that the recipient can supposedly listen to by scanning the QR code in the email. The QR code, however, leads to a bogus login page designed to steal Microsoft 365 credentials.
QR codes for subscribing to premium services
Malicious actors can use QR codes to subscribe unsuspecting users to premium services and steal the funds charged to these users monthly. This scheme was used in the Android trojan campaign known as GriftHorse, which had victimized more than 10 million users around the world by September 2021.
Cryptocurrency-related QR codes
Scammers may use QR codes to dupe users into downloading counterfeit cryptocurrency wallets by promising that, in doing so, they would get rewards, which are actually fake tokens. Another kind of bait involves using QR codes to download fake cryptocurrency wallets that promise reductions in miner fees.
Another related scam is the use of QR codes to obtain unauthorized approval of tokens, which are used to faciliate the transfer of assets from one cryptocurrency wallet to another. Incident reports have cited this scheme as the primary reason for loss of significant funds.
Also cryptocurrency-related are QR code scams involving MetaMask, a cryptocurrency wallet for interacting with the Ethereum blockchain. Malicious actors can hack into MetaMask extension accounts through QR codes to transfer funds without the account owner's private keys.
QR code and barcode scanner apps
In mid-2021, QR code and barcode scanner apps that linked to the Anatsa malware appeared on Google Play. (They have since been taken down from the store.) Infection with such an app starts with forcing the user to update the app upon installation, apparently so that the user can continue to use it.
After the successful download of the supposed update, the app prompts the user to allow the installation of apps from unknown sources. Since the user was previously made to believe that the update was necessary for the app to work properly, the user grants the permission. Once the update is done, the malware runs on the device and immediately asks the user to grant accessibility service privileges.
Malicious actors gain full control over the device and can perform actions on the user’s behalf after the user enables accessibility service privileges. At this point, the malware-infested app runs and operates as a legitimate app. The stage has thus been set for malicious actors to steal login credentials and gain access to all the information that is shown on the unsuspecting user’s device.
QR code creator apps
Trojanized apps can masquerade as QR code creator apps. In a scheme perpetrated by the malicious actor group Brunhilda, such an app asks the user to register. Once registration is done and it obtains detailed device information, the app downloads and installs a trojan payload, which could carry out theft of sensitive personal information such as login credentials or bank account details.
Tips to ensure QR code safety
While the schemes discussed in this article might seem worrisome, users can keep QR code scams at bay by following these best practices:
- Make sure that the linked website of a government agency or other official service provider is legitimate before you provide your personal information. Check for any misspellings on the URL itself.
- Think twice before you scan a QR code found in emails that are sent to you even if they seem to come from organizations or people you know. Enable multifactor authentication with your banking, enterprise, and other accounts to prevent theft of login credentials.
- When transacting in a merchant or service provider’s premises, check the QR code to make sure it’s not pasted over an original, legitimate one.
- Use QR codes to pay only when you’re transacting directly with trusted merchants, service providers, or persons you know.
- Be careful about granting permissions when an app asks for them, as some of the requested permissions could be dangerous.
- Use the default camera app on your device to scan QR codes. (Most operating systems’ default camera apps have built-in QR code readers.) For another layer of protection, you may use the Trend Micro QR Code Scanner for Android or Trend Micro™ Mobile Security for iOS and Android to test-scan QR codes and detect if they have links to potentially dangerous websites.
- Install a mobile security app for virus and malware protection to keep your smartphones safe and secure.
Trend Micro™ Mobile Security
Get powerful protection from loss, data theft, viruses, and other online threats for iOS and Android devices. Trend Micro Mobile Security lets you live your mobile life safely by flagging online scams and frauds. Rely on the cloud-based Trend Micro™ Smart Protection Network™ and Trend Micro Mobile App Reputation Service to stop threats before they can reach you.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases