Rogue QR code antics have been back in the news recently. They’re not exactly a mainstay of fakery, but they do tend to enjoy small waves of popularity as events shaped by the real world remind everyone they still exist.
The most notable example where this is concerned is of course the pandemic. With the spread of Covid-19, people and organisations naturally wanted to move away from physical contact. Contactless cards were in, and so too were QR codes. This was fertile ground for scammers to move back into a pact they may have long since abandoned.
Even outside of scams, the use of QR codes as a safe way to do important things is questionable. The problem with QR codes stems from how easy they are to use. Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.
What’s happening this time?
The Better Business Bureau are warning us to be on the lookout for QR code scams. The latest example they give is of a student sent a letter about loan consolidation. The letter contained links to an official .gov site, and also included “a barcode and QR code that looked legitimate”. Unfortunately once the victim contacted the scammers by phone, they were tricked into an eventual loss of just over a thousand dollars. You can see an older example of such a scam tactic here. Whether by QR code and bogus website or plain old unsolicited telephone call, the outcome is typically the same. Monthly fees going out of the victim’s bank account until they notice something is wrong.
We took a look at some of the recent examples listed in the BBB scam tracker. This is where people essentially crowdsource scams they encounter, adding them into the tracker database.
There was no common pattern between scam types, which ran the range of phishing and identity theft to employment fakouts and bank imposters. With that in mind, here’s the ones which caught our eye:
Trading for QR codes
One person claims they lost $5,100 after a stranger reached out on Instagram and convinced them to get into the wild world of forex (Foreign Exchange) trading. The discussion was moved to WhatsApp where a “withdrawal fee” of $4,102 was sent to a supplied QR code. When more requests for cash happened, the victim became suspicious.
A scam of utility
Another scam of note was related to utility services. A victim claims they were told their electricity would be turned off within 20 minutes. The only way to fix this was to pay an unpaid bill by going to a nearby gas station and sending $900 or so dollars via a QR code. The QR code downloaded a Bitcoin app, and at that point they presumably became suspicious and went no further.
Of employment, supplies, and money muling
As you’ve seen, sending potential victims to gas stations to use Bitcoin ATMs is a popular technique. Perhaps the most shocking example we saw was along these same lines. The victim didn’t lose any money, but they did lose an awful lot of time, and experienced what must have been a lot of stress.
Our subject applied for a virtual job at a new organisation, after uploading their resume to a job hunt website. The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual. They sent their supposed new employers a copy of their driving license and other personal information. The victim was then sent $5,000 to “purchase equipment” for their job, and instructed to send $4,800 to their “software vendor’s” Bitcoin address via a gas station ATM.
It wasn’t long before they were given the cold shoulder by the people asking them to receive and send money. They had almost certainly been used as a money mule: Laundering dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM.
In most cases, the QR code isn’t some sort of surprise gotcha. Nothing leaps out at the victim and drops malware, or pops something terrible on the desktop. No, the scammers are using them the same way regular folks do—for convenience. They’re simply a means of getting the victim in front of an ATM machine. From there, they set the ball rolling to part them from their money (or have them act as the conduit for ill-gotten gains).
Avoiding QR scams
If you’re dealing with QR codes in public, on ads or posters, check that they haven’t been tampered with (look for stickers with a new QR code placed over an original).
QR codes in correspondence can be trickier. The trick is to remember that a QR code is easy to create and is no more trustworthy than any other word or web address. When dealing with codes from businesses you’ve dealt with, try to confirm the code is genuine. If the code opens a website asking for login details, confirm that it’s the company’s legitimate address. Asking for logins from QR codes is risky behaviour and should really be avoided whether a real code or not.
And if anyone tries to steer you towards a Bitcoin ATM, move swiftly in the opposite direction.
Follow these rules and you’ll hopefully avoid any code-based pitfalls.
The post If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam appeared first on Malwarebytes Labs.