Cybercrime: The Dangerous World of QR Codes

05/09/2022
G DATA Blog

QR codes are everywhere these days. People use them to open websites, download apps, collect loyalty points, make payments and transfer money. This is very convenient for people, but of course there is a catch: Cybercriminals also try to cash in and have already devised numerous tricks using QR codes.

A QR code created by cybercriminals may lead to a phishing site that looks like the login page of a social network or online bank. Therefore, we recommend always checking links before tapping or clicking them. A QR code does not offer this possibility and attackers often use shortened links, which makes it even more difficult to recognise a fake link when the smartphone asks for confirmation. Similar tricks can mislead users, causing them to download malware instead of the intended other app.

This variety of possibilities makes QR codes ideal for manipulation and distribution via several channels including social media. A very good example was explained in an earlier  blog  article by my colleague Karsten Hahn, about QR codes advertising pirated software to lure people into downloading a malicious Chrome extension instead of the expected software.

And there is much more how QR codes can be used for fraud.

What are QR codes?

QR codes are basically just a slightly more sophisticated version of barcodes. Herein lies the rub: Such codes are not human-readable, so there is no way to verify or otherwise pre-check what data is contained in them and what might happen when you scan them. So we have to rely on the integrity and good intentions of the code creators. The system can be exploited in many ways.

Many of the current smartphones have a built-in QR scanner, and everyone can download an app that reads all QR codes. To scan a QR code, the user simply opens the scanner app and points the phone's camera at the code. In most cases, the smartphone then gives a notification to go to a certain website or to download an app.

For example, you might find such a code on a wall of museum, and scanning it with the museum's official app might initiate a guided tour. Besides linking to a website or an audio file, a QR code can also be printed on a business card and contain a digital contact file with names, phone numbers and email addresses. That way, you can immediately add the contact details from a business card to your phone contacts without typing them in. Other possibilities include sharing your location with an app, send a text message, add an event to your calendar, or setting up a preferred Wi-Fi network with login details for automatic connection. It is even possible to cram entire programs into a QR code, although admittedly this is more of a niche application that has yet to see widespread use.

How do the attackers work?

Attackers who want to do harm with a QR code first need to persuade you to scan it. Two tactics dominate here:

  • The replacement trick: It is not unusual for attackers to take advantage of the work and reputation of legitimate parties by replacing a genuine QR code on, for example, a poster with their own.
  • The malicious sources trick: Cyber criminals can place a QR code with a link to their creation on a website, in a banner, in an e-mail or even on a printed advertisement. The aim is often to get victims to download a malicious app. In many cases, logos from Google Play and the App Store appear next to the code for bettercredibility.

The possibilities are almost endless. QR codes are also commonly found on utility bills, pamphlets, office signs, inside Powerpoint presentations and pretty much anywhere you can expect to find information or instructions.

The Parking Meter Fraud

The good old coin-operated parking meter, is also seeing a transition to modern times. In addition to various coinage, you can often also use an app to pay for your parking fee. Which is very convenient, because we all have had a parking meter or vending machine of some sort repeatedly reject our coins for no apparent reason.

You open the app, enter the code of your parking meter and you then can pay via the app. This is convenient enough – but criminals have taken this a step further. Earlier this year, reports emerged about fraudulent stickers appearing on a few parking meters in cities in the USA. They were designed to look like you could just scan the code and pay for your parking fee that way – which is even more convenient. The catch is: the QR code was never issued by the municipality as a way to pay. So in a worst case scenario, you might not only lose the money you assumed you paid for your parking fee, but also might face the consequences of having handed payment data such as your credit card number to the criminals. And as if all this was not enough already, you even might end up having your car towed.

QR codes are commonplace enough for many things, so on the face of it, having them do things like payment makes sense. But often enough, QR codes are NOT chosen for this purpose by public administration for this exact reason: They are too easily faked. So informing yourself of such modalities ahead of time is a good idea.
From the criminals’ perspective this is a relatively low-risk scheme. Having high quality, professional looking stickers printed is cheap and easy enough and therefore the material invest is minimal. There is strength in numbers. Criminals pretty much break even after the first payment comes in through a fake QR code, and each subsequent payment is a net win, especially if you can snarfle credit card data on top of the payments you collect. Scale this up to an operation involving a few dozen parking meters in a reasonably affluent area and you get the idea.

The "Stranger in Need” fraud

In the Netherlands, there were cases reported of people convincing strangers in the street to scan QR codes in order to transfer a small amount of money. This might be a parking fee, a ticket for public transport or anything else that involves helping a stranger out of a minor pinch. Going back to our earlier example, someone might claim to have tried to pay their parking fee using coins but the parking meter rejected them. And for some reason they cannot make the payment using the official app. They then ask a stranger to help them out using - you guessed it – a QR code they show to their victim and ask them to scan it. The code supposedly sends the “person in need” a small amount of money for an online payment of said parking ticket (alternatively they might claim that they pay the parking fee directly via the code), and our “good Samaritan” receives the owed amount of, say 2 Euros, right then and there, in cash. They might seem in a hurry to get somewhere important and say things like "Please, the machine is broken and will not accept any coins and I really need to be somewhere - could you scan this code and make the payment for me? That would help me so much - here you go, I give you the money back right here and right now!" But in reality, as soon as the payment data is entered, it lands in the hands of the criminals.

What can you do?

  • Be careful with the the link that appears after scanning the code. Be cautious if the link is shortened because with QR codes there is really no reason to shorten a link. Instead, use a search engine or go yourself to the official shop or online address.
  • Do a quick ‘physical’ check before scanning a QR code on a poster or board to make sure the code is not fixed on top of the original image.
  • Always remind yourself that whatever caption is printed underneath or next to the QR code is not connected in any way to the code itself.
  • Use a program such as G DATA’s QR Scanner which checks QR codes for malicious content and fake websites.
  • QR codes as well as barcodes can also contain valuable information, such as e-ticket numbers. Therefore you should never post images of any personalized documents containing such codes on social media. This includes concert tickets, boarding passes and other documents. If you really want to share the image, make sure to cover up the code at least partially – either with some item you have on hand or using your fingers.
  • Being aware is the first step to arming yourself against cybercriminals. If someone approaches you on the street and asks you to scan a QR code, then you now know that this is potentially dangerous. Criminals are very good at taking advantage of your helpfulness and will often act as if they are in a hurry, giving you no time to think. Don't feel guilty about just walking away if you don't trust it.
  • If you have doubts about the authenticity of a QR code on something like a leaflet, it is generally wiser not to scan the code. It may be slower, but you can always manually go to the website mentioned to get more information. This is ideal when you don't trust it.

When to involve authorities

If your money is involved or your bank, call your bank immediately to have your account temporarily frozen. Furthermore, it is always wise to report it to the police. It will not always be easy to find out who the perpetrators are, as these criminals often do everything they can to remain anonymous. However, it is important to report the crime to the police, because this way they can get a better idea of the scale of the problem.

If you are approached in this way on a site or app, always report the account in question. This way, the website can block the account and prevent others from becoming victims too.

QR codes were once developed for our convenience sometimes but you should always think twice if you are using them!

Image credit:

Parking meter photo by Braeson Holland / Pexels
"Help" photo by MART PRODUCTION/ Pexels

Eddy Willems
Security Evangelist