[Software]Watch out for malicious QR codes! This kind of scam is increasing

[Maheso]

You’ve almost certainly used QR codes before—it’s when you point your phone’s camera at a square barcode to access a menu, a form, or even an app, and then tap on the link that appears. But while most QR codes are often innocuous (especially compared to their early wild days), their low-tech and humble vibe make them perfect tools for bad actors.

A recent example surfaced in the news just last week, with Malwarebytes publishing a blog post about a targeted QR code attack on WhatsApp accounts. Broken QR codes served as bait for victims, who were lured into clicking a link and following instructions that granted access to a new device. That hacker-owned device then gained the ability to read and potentially download full message histories.

While sophisticated, this particular campaign highlights how a QR code will serve as a gateway to a malicious website. More commonly, the attack is direct—as when I wrote about a phishing scheme back in December, which tried to steal login info for Microsoft accounts. Scanning the QR code led to a phishing webpage.

What’s most dangerous about QR codes is that they can pop up in a number of environments, some of which you might not associate with shady behavior. It’s not limited to the online world, either—you’re just as likely to encounter a bad QR code while out running errands. For example:

Physical ads: Think flyers and bills posted in public. They claim to be about a service, charity, business, etc, but instead send you to a phony site or force your device to download malware.
Text communication: If your friends, family, or associates get hacked, you could be sent a phishing QR code to squeeze personal info out of you.
Email: Similarly, you could get spoofed emails from people you know or stores you shop at, asking you to confirm personal information. The reasons can vary widely.
Physical mail: Your mail could include fake ads and notices with malicious QR codes. Packages aren’t exempt, either—a new scam is to send unsolicited items to people, then include a phishing QR code with them to snag your details (possibly even your financial info).

One particularly sneaky appearance of bad QR codes is as additions to legitimate physical flyers and ads posted in public, or on things like parking meters. A would-be scammer will stick or paste a replacement QR code over the proper barcode, which then sends unsuspecting folks to a phony site. You could lose not just your personal info, but your credit card or other financial details, too.

QR code scanning apps can be trouble as well. Nowadays, you don’t need a third-party app—the camera app on both Android and iOS phones will handle QR codes perfectly fine. But these third-party options still exist, and someone could download one not realizing the risk of grabbing malware that will spy on your activity and steal data.

 

 

https://www.pcworld.com/article/2584748/watch-out-for-malicious-qr-codes-this-kind-of-scam-is-increasing.html