A QR code (initials for quick response code) is a type of matrix barcode (or two-dimensional barcode) invented in 1994 by the Japanese automotive company Denso Wave, and consists of black squares arranged in a grid on a white background, which can be read by an imaging device such as the camera you carry on your smartphone. But beware, because the FBI is warning about a scam involving the use of these to steal money.
FBI Alert: Malicious QR
The Federal Bureau of Investigation has issued a warning about the use of malicious Quick Response (QR) codes by cybercriminals to steal credentials, financial information and even your money if you fall for the scam. A classic scam that uses QR codes as a new way to lure potential victims.
According to the FBI, criminals are changing legitimate QR codes used by businesses for payment purposes to redirect potential victims to malicious websites aimed at stealing their personal and financial information, installing malware on their devices or diverting their payments to accounts under their control.
How does the QR scam work? After victims scan what look like legitimate codes, they are sent to the attackers' phishing sites, where they are asked to enter their login and financial information. Once entered, these are sent to cybercriminals, who can use them to steal money using hijacked bank accounts. It's a classic phishing scam, but using QR.
Caution when scanning a QR code
The FBI notes that “While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code. Law enforcement cannot guarantee the recovery of lost funds after transfer.”
The FBI advises following these tips:
Also with cryptocurrencies
Last November, the FBI issued another security advisory focused on the risks of QR codes, warning that criminals are increasingly asking victims of various scams to use QR codes and cryptocurrency ATMs to hinder efforts to recover their financial losses.
As a recent phishing campaign targeting German online banking users has shown, threat actors use QR codes instead of buttons in spam emails to make their attacks harder to detect by security software and successfully redirect victims to phishing sites.
Victims successfully redirected to the phishing pages were asked to enter their bank location, code, usernames and PINs.