QR Code Fraud

August 07, 2024

As hands-free, low/no-contact trends exploded in popularity during the pandemic, QR code technology became more prevalent. So, too, do the ways to take advantage of the technology and turn a QR code into a phishing operation, or worse. QR codes are appearing in public places such as parking areas, restaurants, and hospitals. Their convenience is a no-touch way to pay for or order a service. However, the accessibility of QR codes extends not just to patrons looking for a simple, germ-free way to get things done. Unfortunately, malicious actors are taking advantage of QR codes in public places, as well as sending them via phishing campaigns via email and SMS messages.

At the end of 2023, the Federal Trade Commission published a warning about an uptick and tactics used by scammers and fraudsters to disseminate QR codes that stole personally identifiable information (PII) or directed unsuspecting victims to fraudulent websites that would do so. QR codes can also install malware onto personal devices, such as laptops and mobile phones. The dark web and its adjacent platforms, such as Telegram, offer tutorials and services to empower cyber criminals to steal not only information but in some cases, finances of victims, using QR codes:

Figures 1 and 2: On an onion forum, malicious actors discuss QR code fraud sales and cashing out on them using cryptocurrency, as well as possibly accessing Discord; Source: DarkOwl Vision

The easiest method to spread QR code fraud is simply placing a sticker over a QR code located in an open, public place. Criminals can do this outside of the range of security cameras in many instances. These cover-up QR codes can send victims to fraudulent websites.

Alternatively, if QR codes are sent via email, embedding them as an image in the email does not trigger security or scanning software, so the malicious link of the embedded QR code will function and lure victims to the malicious website. This tactic is called “Quishing” – a portmanteau of QR code and phishing.

Both of the above scenarios rely on people using personal devices as they travel out and about, running errands. Personal devices often see lower security protections as opposed to a corporate or employee-sponsored device. Criminals also take advantage of the fact that people are often in a hurry when conducting errands or going to a leisure event, so they don’t take the time to inspect URLs, ensuring no typos or suspicious looking links. To maximize their financial gain, online tutorials offer QR code fraud guides of all types:

Figure 3: A Telegram user advertises for all kinds of malicious services, including QR code fraud; Source: DarkOwl Vision

Since QR code fraud is similar to phishing operations, the same protective measures apply:

  • Always investigate URLs closely, and ensure there aren’t typos, or a possible misdirection located in the code, or the URL provided with the code.
    • This includes ensuring the URL provided uses a secure HTTPS protocol, and not just HTTP.
  • Do not click on or scan QR codes from strangers, only open QR codes from trusted sources.
  • Don’t download any files from a QR code or permit auto-downloads from any websites related to QR code use.
  • Ask employees in places where QR codes are located publicly to verify the website the code takes you to, so that no fraud or information stealing occurs.

Questions for our analyst team of darknet experts? Contact us.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.