We know that threat actors are constantly evolving their tactics and techniques for new ways to make money. But how far will they go? The answer is there are no limits for them as they are picking up on popular trends. This time, they are taking advantage of the sudden surge in the adoption of QR codes by crafting malicious ones. 

What’s going on?

The FBI warned against cybercriminals using malicious QR codes to steal targets’ financial information and other credentials. They are meddling with QR codes to redirect users to malicious websites that steal their information, deflect their payments to attacker-controlled accounts, and install malware on their devices.

QR code-related attacks

This warning is one among the long strings of advisories released by agencies and cybersecurity researchers regarding the threat posed by QR codes. 
  • San Antonio police warned the public about fake QR codes on parking meters to trick unsuspecting users into paying the scammers. The fraud was conducted in Austin, Texas, where parking meters only accept cash, coins, or payment via an app instead of QR codes. More than 100 meters were found with bogus QR code stickers. 
  • In December 2021, threat actors resorted to abusing QR codes to evade detection and lure potential victims into opening phishing messages. One such campaign targeted users of two German banks—Volksbanken Raiffeisenbanken and Sparkasse—to exfiltrate their digital banking details. 

The bottom line

The FBI is urging the public to double-check any URL generated by a QR code, to be careful while entering their details after scanning one, and ensure that physical QR codes are not covered by fake ones. The bureau has, moreover, recommended to not download apps via QR codes or install QR scanners. In a nutshell, while QR codes aren’t inherently malicious, it is crucial to be cautious when entering financial and personal data as the recovery of lost funds is not guaranteed.

Cyware Publisher

Publisher

Cyware