When you think about a scam, what comes to mind? Perhaps you think about receiving a poorly drafted email saying “You Just Won $500! Click HERE NOW!”. Maybe you think about a sketchy salesperson approaching you about a timeshare in Hawaii that seems way too good to be true.

When we think about scams like these, it can be easy to say to ourselves: “I could never fall for something like that!”. Now, perhaps you would not fall for such an over-the-top or blatant scam as the ones mentioned above. However, it would be foolish for us to let our guards down and underestimate the craftiness of modern scammers. The truth is malicious attackers have become very creative in the tactics they use to dupe their victims. The traps they have set may be where you least expect them to be!

To Scan or Not to Scan?

The use of QR codes has become increasingly popular nowadays. You can find them just about anywhere from viewing restaurants menus to performing monetary transactions at places of business. These especially became more common during the height of the pandemic. Scanning a QR code with a smartphone is convenient and easy, but malicious attackers have begun exploiting features like these.

In several Texas cities, scammers would slap fake QR codes on parking meters. Scanning this code would take the victim to a phony website asking for a credit card. Police say it is unknown just how many people could have been duped and had their card information compromised, as these fake QR codes were found all over the city’s meters. Aside from public spaces, scammers have also begun including the use of QR codes in phishing emails.

Of course, being directed to a fake website is not the only danger when it comes to scanning malicious QR codes. They can also connect a victim’s device to a malicious network and share the user’s location. Malware embedded in the QR code can automatically initiate phone calls, draft emails, and send text messages. Automatic fraudulent payments may also be initiated.

Are You a Human?

CAPTCHA, otherwise known as “Completely Automated Public Turing test to tell Computers and Humans Apart”. A mouthful for sure, but it is likely you have run into these tests many times while browsing the web. Perhaps it stated you need to pick out all the images of fire hydrants or type out the terribly scribbled characters shown in an image. Despite their rather odd method of human verification, CAPTCHA tests have become very commonplace in the digital age today. Even though they may be frustrating at times, at least they are always a sign of credibility, right? Well, not quite.

Scammers know that CAPTCHA tests can provide a sense of legitimacy. And the truth is, anyone can create one of these pages. This makes them a very deceptive tool in the hands of a scammer. For example, in 2020 a phishing attack made on Netflix users included the use of one of these pages. Users were sent an email titled “Notice of Verification Failure”, detailing an “issue” with the customer’s billing information. To add to the email’s credibility, a link was provided that took customers to a CAPTCHA page with Netflix branding. Once a victim correctly completed the test, they were led to a Netflix lookalike log-in page which would steal credentials.

As we can see, the sole purpose of the CAPTCHA page was to provide a false sense of legitimacy. The CAPTCHA page itself was not the scam, and it may seem like a very small or unimportant thing to include. However, it reinforced the email’s credibility and led to many customers having their login credentials stolen!

How to Protect Yourself

Now that we have discussed some methods that malicious attackers use, how do we ready ourselves for when we come across scams like these? Let us consider some tips for each.

Fake QR Codes

• • Always be wary of what you scan. Especially if the code is found in a public space like a parking meter. Just because it may look legitimate, does not mean it is.
  • Most modern smartphones allow the user to Preview a QR code’s URL. If the URL looks off or suspicious, you should not trust it! There are also secure scanner apps that have been designed to spot malicious links before they are pulled up on your phone. Mobile security software can also do a great job of detecting bad links and sites.
  • Never trust a QR Code in an email! Even if it seems to be from a legitimate source.
  • To avoid being led to a phony website, try searching for the company’s official website on your own rather than scanning a QR code.

  Fake CAPTCHA Tests:

  • Do not let the presence of a CAPTCHA test lure you into a false sense of legitimacy. Just because a site you are directed to may have them, does not mean they are trustworthy.
  • Always be suspicious of any email or text message asking you to verify personal information or even credit card details. When a link is included along with the request, this is also something to be wary of. If something does not seem right, contact the company through their official channels.
  • Check for spelling errors in URL links and email addresses. Phishing scams may have typos or grammatical errors. Keeping an eye out for these can help us spot a malicious email or text.
  • If an email asks you to log in to an account or online service, log in to your account through a known and trusted link or bookmark, rather than clicking any link in the email. This can help you to spot a fake look-alike webpage, and make sure you are logging in to the correct one.

  Safely Moving Forward

  Being aware of potential dangers in the world around us is important. Especially when malicious attackers seek to compromise us digitally now more than ever. We must take steps to protect ourselves from the likes of scammers.

  Often, this simply involves us using our better judgement when navigating the online world. Now when we are presented with a QR code or CAPTCHA test, we will not immediately assume that these are harmless!

  You may be familiar with the phrase “Knowledge is Power”. In this case, Knowledge is also Protection for us. Becoming knowledgeable about the ways scammers may try to take advantage of us, will help us to combat any efforts they make to do so.

  Sources:
  https://www.austintexas.gov/news/fraudulent-qr-codes-found-austin-parking-pay-stations
  https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
  https://cisomag.eccouncil.org/think-before-you-scan-malicious-qr-codes-in-the-wild/#:~:text=The%20malicious%20QR%20codes%20can,can%20reveal%20the%20user%27s%20location.
  https://www.forbes.com/sites/kateoflahertyuk/2020/07/29/new-netflix-threat-this-legit-looking-scam-could-steal-your-credit-card-details/?sh=6665c4e369d2
  https://qrd.by/help/article/how-can-i-see-the-url-behind-the-qr-code

  Images:
  https://unsplash.com/photos/SpVHcbuKi6E
  https://cdn.pixabay.com/photo/2016/01/29/09/56/hands-1167612_960_720.jpg
  https://aws1.discourse

*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by Social-Engineer. Read the original post at: https://www.social-engineer.org/social-engineering/qr-codes-and-captcha-tests-new-scams-in-a-digital-age/