Hackers Abuse QR Codes

QR codes, widely used by legitimate organizations for various purposes, such as advertisements and enforcing parking fees, are also being exploited by scammers for their fraudulent activities.

There have been instances of individuals losing money through QR code scams, such as a woman in Singapore losing a hefty amount after filling out a fake survey and fake car parking citations using QR codes targeting US and UK drivers.

QR Code with Malware

A 60-year-old woman in Singapore lost $20,000 in a QR code scam where she was prompted to scan a QR code and fill out a fake survey for a free cup of milk tea at a bubble tea shop.

An ordinary person and someone with some technical knowledge might not immediately suspect a scam since loyalty and rewards programs often use QR codes for promotions.

The 60-year-old woman downloaded a third-party app on her Android phone to fill out the fake survey after scanning the QR code on the sticker at the bubble tea shop.

The scam app the woman downloaded stole $20,000 from her bank account, which was noticed at night when her phone lit up, and the OCBC Bank’s head of anti-fraud considers it an “insidious” scam.

The scam is dangerous as scammers can take control of the victim’s phone and internet banking, leaving them unaware of their savings being wiped out.

The malware app requests access to the victim’s phone following things:-

  • Microphone
  • Camera
  • Android Accessibility Service

After getting access to these features, they monitor the victim’s mobile banking app usage and record their login credentials.

The acquired permissions allow threat actors to spy on their victims at night and conduct malicious activities without detection.

Malware scams are becoming more innovative, with scammers pasting fake QR codes outside F&B establishments, which may deceive consumers who cannot differentiate between real and fake codes.

Singapore Police Force cautioned citizens last year about criminals abusing QR codes in the Singpass digital identity system.

The police have warned about fraudsters who trick victims into scanning a fake Singpass QR code during a bogus survey, unintentionally giving them access to certain online services.

Fake parking tickets have been spotted across the US and UK, with a recent incident reported in San Francisco.

A recent fake parking ticket incident in San Francisco had a future date. The QR code provided in the ticket led to an illegitimate website that copied the official SFMTA website to appear genuine.

KRON4 confirmed with SFMTA that the fake parking ticket and its illegitimate website look nearly identical to the genuine ones, according to a San Francisco-based TV Channel.

SFMTA website directs users to a third-party domain for parking citations, which could be mistaken for an illicit website, while UK local governments warn residents to be cautious of QR codes disguised as “quick pay” parking meters.

To counter any placement of fraudulent QR codes around parking meters, the council has inspected them and made it clear that QR code payments are not currently supported by its machines.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.