FBI Warns of Malicious QR Codes
The FBI’s Internet Cyber Crime Center (IC3) has published a public service announcement warning that “Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.” The PSA includes tips for users to protect themselves, which include not downloading apps from QR codes and not making payments on sites that have been navigated to with a QR code.
Data from independent sources usually show QR code usage is pretty low, in the 5-10% of users, though the QR code industry shows much higher numbers. Good to warn users that QR codes are just like clickable links in email or text message – may have some convenience but carries risk. I think more importantly: never download a random app to read QR codes. If the camera app in your device doesn’t do QR codes, just don’t use them.
Treat QR codes like any other clickable link; only scan trusted codes. The native iOS and Android apps provide a pop-up with the site referenced by the QR code; if you’re not familiar with the site, don’t proceed. There is often an alternative to using the provided QR code. For example, many restaurants are now primarily providing menus by QR code, even so, they still have physical menus for those who don’t have a smartphone or are uncomfortable with the link.
While QR codes have been around for quite a while it was not until the pandemic hit that their use became more mainstream and people more familiar with using them. This is a good example of cybercriminals taking advantage of growing popularity in technology solutions and why cybersecurity pros need to keep abreast of how technologies are being utilized and subsequently abused so they can ensure the appropriate controls are in place.
I do not believe that it is helpful to tell users not to download apps using QR codes. Too often, there are legitimate apps that are offered via QR codes. But users should be considering what they are downloading, and where they are finding the QR code. The alternative, offering short URLs for users to type in, has the same problems as QR codes.
QR code adoption has increased since the pandemic; everyone knows how to scan a QR code at a restaurant. Unfortunately, this convenience is being exploited to direct end users to malicious sites. Count this as another feature that requires user awareness training.
Read more in
Threatpost: Surge in Malicious QR Codes Sparks FBI Alert
Bleeping Computer: FBI warns of malicious QR codes used to steal your money
GovInfosecurity: FBI Warns of Cybercriminals Using QR Codes to Steal Funds