The popularity of the QR Code has inspired scammers, who use the notorious graphical code to lure their victims to malicious sites. Caution is needed to avoid falling into this new, very fashionable trap.
Long reserved for a few insiders, the QR Code has significantly gained in popularity in recent years, especially since the appearance of Covid-19, where it was used for the famous health pass, but also on restaurant tables, to avoid that customers touch menu cards, for example. More broadly, this digital graphic code is widely used now to obtain a Wi-Fi code, to directly download an application or to send to a website. Democratization is all the faster because this system is very easy to use, since everything is done automatically, transparently, without complex manipulation.
Unfortunately, like every time a new technology gains popularity, hackers take it over. Indeed, since the victims do not yet know very well how this system works, it is easier to deceive them. It is for these reasons that cybersecurity experts warn of the proliferation of fraudulent QR Codes, capable of stealing user data or installing malicious software on their devices, as they tell in The Parisian.
QR Code: a new, little-known phishing technique
The principle of the QR Code is simple. Thanks to the camera or a scanning application on a smartphone, it sends the user to a web page or an application. However, it is enough simply to stick a sticker – on a menu, a poster or a flyer, for example – for thousands of people to be fooled without realizing it. By scanning it, victims are either led to download an application containing malware, or redirected to a page resembling the original and which will, one way or another, invite them to enter their personal data and/or or banking.
Phishing campaigns are becoming more and more ingenious, and it is rather difficult to detect a fake QR Code, although certain details may give rise to the flea, such as an overlay sticker or an Internet address that does not match. In addition, it is very easy, thanks to websites, to quickly generate a QR Code for a URL address. “It took years to educate people not to click on a dodgy link sent by email, we have to start all over again with these QR Codes which are phishing campaigns in a new physical form“, deplores a cybersecurity researcher at Parisian.
QR Code: a scam targeting tourists
Fake QR Codes are daunting because, as the specialist explains, “the cyberattack passes through the camera and thus bypasses antivirus and security filters.“This type of fraud has already been detected in Asia, Germany and the United States, which has led the FBI to issue alerts. It is a proximity cybercrime that mainly targets tourist sites. But not only.
In Texas, in the city of Austin, motorists have been victims of phishing via QR Codes stuck on parking meters. But instead of being redirected to the city’s official website or app to pay for parking, motorists landed on a fake site that collected their credit card information. A similar scam has been identified in the city of San Antonio. These QR Codes are also starting to appear in phishing emails and online advertisements. A way that may seem strange since why redirect us to a website, when we are already there? Simply because they often go undetected by security software, giving them a better chance of reaching their targets than attachments or dangerous links. Plus, it’s much faster to send out thousands of fraudulent emails than to stick QR Codes around town.
It will be necessary to remain vigilant during these holidays, whether in France or abroad. Although no victim has been identified in France, the site cybermalveillance.gouv.fr is on the lookout, especially during the summer holidays. As a precaution, a search engine or a VPN is recommended when connecting to a public Wi-Fi network. Also, it is better not to download applications outside the official stores – the Google Play Store and the Apple App Store. It should be kept in mind that many QR Codes embedded in e-mails are fraudulent, and if a QR Code links to a site requesting information that does not seem necessary, it is better not to transmit it.