QR codes have become a go-to staple for contactless transactions of all sorts during the pandemic, and the FBI is warning cybercriminals are capitalizing on their lax security to steal data and money, and drop malware.

Menus, event ticket sales, quick site access — QR codes have become a common way to interact as a result of the COVID-19 pandemic. But the smart little matrix bar codes are easily tampered with and can be used to direct victims to malicious sites, the FBI warned in an alert.

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants, and have gained in popularity over the pandemic as contactless interactions have become the norm. Simply navigating a smartphone camera over the image allows the device’s QR translator – built into most mobile phones – to “read” the code and open a corresponding website.

“A victim scans what they think to be a legitimate code, but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information,” the FBI alert explained. “Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

, Surge in Malicious QR Codes Sparks FBI Alert, The Cyber Post

The FBI said it has also observed threat actors using malicious QR codes to download malware giving them access to a victim’s device, where they then accessed financial data to steal money. Cybercriminals are also swapping out genuine QR codes for their own, intercepting payments, collecting cash and data, the FBI added.

QR Code Abuse Increases

Last April, Ivanti conducted a survey which found 57 percent of consumers in an international sample increased QR code usage following the March 2020 pandemic onset. Worryingly, 87 percent of respondents told Ivanti they felt secure carrying out financial transactions following QR codes. The evidence suggests that user security confidence in QR codes is misplaced.

Last summer the Better Business Bureau issued an alert that scammers were increasingly abusing QR codes in innovative ways; one elaborate scheme started with a malicious QR code and ended with sending victims to gas stations to use Bitcoin ATMs..

Purandar Das, co-founder and CEO at Sotero, said a rise in QR abuse was almost inevitable.

“Every technological advance that is a legitimate opportunity to simplify user interaction is coopted by the criminals,” Das explained. “QR codes have become increasingly popular as a way to direct consumers to business website and applications. They have been become ubiquitous in the restaurant industry due to the pandemic and the desire to not have to pass around paper menus. There are just so many opportunities to trick consumers into providing information. The cat-and-mouse game continues.”

FBI QR Code Tips

The FBI offers several tips to avoid the next QR code scam:

  • Double-check the URL of any site pulled up with a QR code to make sure it’s legitimate: “A malicious domain name may be similar to the intended URL but with typos or a misplaced letter,” the FBI added.
  • Before engaging with a QR code, check to make sure the code itself hasn’t been tampered with. The FBI suggests looking for evidence a sticker has been slapped over the original code.
  • The alert also cautions users against downloading an app from a QR code rather than the application store, which has more security protections.
  • Do not download a QR code scanner app: The FBI said, “this increases your risk of downloading malware onto your device. Most phones have a built-in scanner through the camera app.”
  • Don’t make payments to a site accessed by a QR code, if possible.
  • And, if you receive a QR code that you believe to be from someone you know, reach out to the person through a known number or address to verify that the code is truly from them.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.