Crooks tampering with QR Codes to steal victim money and info, FBI warns

The FBI warns that cybercriminals are using malicious QR codes to steal their credentials and financial info.

The Federal Bureau of Investigation (FBI) published a public service announcement (PSA) to warn that cybercriminals are using QR codes to steal their credentials and financial info.

QR codes are widely adopted by businesses to facilitate payment. In a classic use case, a business provides customers with a QR code directing them to a site where they can make a payment.

Crooks can replace the QR code with a tampered one and hijack the sender’s payment.

Unaware people that scan the QR codes are redirected to malicious websites that are crafted to steal login and financial information.

“cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use.” reads the FBI’s PSA. “Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes. A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information.”

Malicious websites could also deliver malware on the victims’ devices or hijack their payments to accounts under their control.

“While QR codes are not malicious in nature, it is important to practice caution when entering financial information as well as providing payment through a site navigated to through a QR code,” the FBI states. 

The FBI announcement includes tips to protect people from such kind of attacks; feds recommend checking the URL obtained by scanning a QR code to make sure it is the intended site and looks authentic. Threat actors could use a malicious domain name that is similar to the intended URL but with typos or a misplaced letter.

Double-check any site navigated to from a QR code before providing login, personal, or financial information.

If scanning a physical QR code, ensure the code has not been tampered with, such as with a sticker placed on top of the original code.

Never download an app from a QR code, avoid making any payment requested through unsolicited email that uses social engineering techniques to trick recipients into scanning the embedded QR code.

Do not download a QR code scanner app from unofficial stores to avoid being infected with tainted apps, most phones today have a built-in scanner through the camera app.

If users will receive a QR code from someone they know, they can reach them via an alternative channel to verify that the code is from them.

Never make payments through a site navigated to from a QR code, it is recommended to manually enter a known and trusted URL to complete the payment.

In November, the FBI Internet Crime Complaint Center (IC3) published an alert to warn the public of fraudulent schemes leveraging cryptocurrency ATMs and Quick Response (QR) codes to complete payment transactions.ⓘThis payment option makes it quite impossible to recover the money stolen with fraudulent schemes.

QR codes can be used at cryptocurrency ATMs to transfer money to an intended recipient and crooks started using them to receive payments from victims.

Fraudulent schemes include online impersonation in which scammer poses as a familiar entity (i.e. The government, law enforcement, a legal office, or a utility company), romance scams, and lottery schemes (scammer attempt to convince victims that they have won an award).

In all the fraudulent schemes, scammers provide a QR code associated with the scammer’s cryptocurrency wallet that the victim has to use during the transaction. The victims are instructed to make the transition at a physical cryptocurrency ATM where inserting money that can purchase cryptocurrency before transferring them using the provided QR code.

In these schemes, the scammers are in constant online communication with the victims and provide step-by-step instructions to make the payment.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QR codes)

[adrotate banner=”5″]

[adrotate banner=”13″]