Cybercriminals Using QR Codes to Steal Financial Info, FBI Warns

Cybercriminals are tampering with quick response (QR) codes to redirect victims to malicious sites that steal login and financial information, the FBI warned in an alert published last week. 

QR codes are square barcodes that smartphone cameras can scan to provide quick access to a website, prompt application downloads or direct payment to an intended recipient.

Businesses have been using QR codes more frequently during the COVID-19 pandemic to provide users with convenient contactless access, but now cybercriminals are taking advantage of this technology and directing QR code scans to malicious sites to steal victim data.

These compromised codes use embedded malware to gain access to the victim’s device, redirecting to a malicious site which then prompts them to enter login and financial information.

After gaining access, these malicious actors would be able to steal the victim’s personal and financial information and then leverage the stolen financial information to withdraw funds from victims’ accounts.

QR Code Attacks get Personal

“These codes are another example of how attackers are moving away from email and relying more on personal channels such as social media platforms and third-party messaging apps to deliver convincing phishing attacks to end users,” explained Hank Schless, senior manager of security solutions at Lookout, an endpoint-to-cloud security company. “Attackers know that we will oftentimes tap a notification or visit a site on our mobile devices without thinking twice.” 

He pointed out that since QR codes are presented in the context of some legitimate action, such as visiting a site to make sure you’re registered to vote, people may be more willing to trust that the destination site is secure.

“Because of their simplified interface and smaller screens, it’s much harder to spot phishing sites on smartphones and tablets,” he said. “Many of the red flags we’re used to spotting on PCs, such as a spoofed URL or non-traditional page formatting, are easier to hide on mobile devices.”

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, added that QR can be particularly appealing due to their increasing popularity across multiple target sectors like retail and hospitality, but also due to the lack of ability for users to distinguish between a legitimate and a suspicious QR.

“With users typically presented with a simple set of black and white patterns, it is often difficult to know which may be a scam,” he said. “QR has allowed restaurants to minimize interactions between customers and staff, allowed users to check into venues or clarify their vaccination status.”

He said many of these changes have allowed businesses to reduce operating costs and, as a result, QR codes will likely continue to play a big part in our daily lives. 

“Therefore, QR codes are likely to be continually adopted into social engineering campaigns,” Morgan said. 

He advised that when using a digital QR code for payment, ensure that the website you have been directed to looks legitimate, is free from spelling mistakes, URL changes or other discrepancies in branding that look out of place.

“Many of these malicious QR codes will also be delivered via email or text messages; if they arrive from an unknown address, are unexpected or make demands that need to be addressed in a timely manner, it should be treated with caution. If something looks wrong, it probably is,” he said. 

Schless said he felt the recommended protections offered by the FBI cover most things users can do to protect from malicious QR codes—the key is to think about them like any other potential phishing link.

“Slow down and take a minute to observe the URL you’re visiting,” he said. “If the URL itself seems to align with the context it’s presented in, then the next step is to carefully observe the page you visit. You should also protect yourself from these threats with a mobile security solution that can detect and protect against malicious URLs within these QR codes.”

Crypto is a Prime Target

Morgan noted the adoption of QR codes would likely continue to increase in 2022, including among users participating in the boom of interest in cryptocurrencies—QR codes make transactions easier for cryptocurrency users.

“The crypto space in general can be considered risky, with the promise of rapid returns often prompting users to invest in crypto coins of little demonstrable value,” he said. “This was demonstrated in the past week, when a fake Amazon cryptocurrency coin was used as a lure for an investment scam.”

He added that it’s likely that 2022 will see an increase in these types of social engineering campaigns, which may coincide with the use of fraudulent QR codes to direct users into making payments.

The FBI encouraged those who had (or suspect they had) funds stolen because of a tampered QR code to report the fraud to the local FBI field office, as well as report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center. 

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy