Skulls, crossbones, and QR codes

From the second man to the second-story man, QR codes have moved from being a thing of convenience to a sneaky window for cybercriminals to tap

From the days when black pepper was transported through the sea to the nano-seconds when money moves in the form of bits and bytes via fibre optics- one person has continued to haunt merchants in ever-evolving ways. The pirate. The way they look may have changed but pirates still shadow every penny they can rob or steal.

“QR scams have the potential to damage a merchant’s reputation, erode customer trust, and deter users from engaging in online transactions.”- Vivek Srivastava, Country Sales Leader, Fortinet India

“QR codes posted in public or provided through untrusted channels could be easily manipulated to send the user to a compromised site.”- Nader Henein, VP Analyst, Gartner

It was just a matter of time till they came for QR codes. The upper storey that we built after bar codes, and cemented during the pandemic for faster and contactless commerce, has now caught the patched eyes of these burglars. It is the storey that was meant for speed, convenience and easy access. It is, now, the storey that is being used by burglars to sneak into the building we carry in our pockets. Our devices. And data.

WHAT DO THEY LOOK LIKE?

Quishing is now as common and as dangerous as phishing or vishing. Yes, QR Code threats are on the rise. They come in the form of masquerades that lead the user to malicious sites or download malware on the device. The result can range from pennies slipped out to pounds cut away from one’s pocket, from the user being subscribed to a marketing list and newsletter without consent to stealing sensitive information from devices or spying through the device. The most serious blow is, of course, the theft of the credit card or bank information of the user and the downloading of malware on the device. It can also lead to the hijacking of devices for misuse.

“Apart from exercising user caution, e-commerce websites should deploy robust cybersecurity solutions which can detect fraudulent activities.”- Harshil Doshi, Country Director, Securonix

Harshil Doshi, Country Director, Securonix avers that QR codes have become commonplace in our lives and with it, the related scams are also rising. “Attackers are using various techniques to alter QR codes on business websites and scam unsuspecting users. After scanning these codes, the user is directed to a malicious website that asks them for their credentials or a malicious application that typically contains viruses or other malware. Knowing how the digital landscape is fast evolving, these scams are only going to become more sophisticated.”

Vivek Srivastava, Country Sales Leader, Fortinet India zooms in on the unique aspect of QR code scams which, he explains, lies in their ability to serve the same malicious intent as other cyber-attack vectors, such as phishing emails.

“Cybercriminals employ QR codes to infiltrate malware onto users’ devices with the ultimate goal of pilfering user credentials and passwords. In our daily routine, we are constantly using the Internet and various applications, entering our usernames and passwords across numerous online platforms, including e-commerce, work-related tasks, bill payments, social networking, and entertainment streaming,” he says.

This practice comes with inherent risks. In case any of these platforms become compromised, the stolen username and password information typically ends up on the dark web, where it is offered for sale. This data can be incredibly valuable to cybercriminals, especially when it can be reused on high-value targets like financial institutions or online shopping websites, resulting in potential financial loss for the individual.

Nader Henein, VP Analyst, Gartner points out other facets. The scam is not targeted at a specific individual, when you scan a QR code for an offer for pots and pans, and you land on a site with pictures of pots and pans, you are more likely to share your data thinking this is the correct site. “People have an implicit level of trust towards QR codes that are not earned and it can easily be manipulated. This compromise builds on authentic offers which have authentic campaigns behind them.”

In an illustrative instance, FortiGuard Labs identified a phishing campaign earlier this year, which utilised diverse QR codes to target Chinese-speaking users, cites Srivastava. “A document was attached to this campaign, featuring a prominent QR code at its centre. Upon scanning this QR code with their desktop or mobile devices, users were redirected to a website controlled by threat actors. The primary objective of this QR code scam was to deceive users into disclosing their credentials on a phishing website operated by the malicious actor.”

HOW MUCH THEY HURT?

There is a reason the bad guy is chasing this door. According to Future Market Insights, the QR code payment market could surpass USD 11.67 billion in 2023 and move up to USD 55.60 billion by 2033. The Bitly 2023 QR Code Trends Report confirms that QR Codes are being used by businesses and brands at an accelerated pace with global creations up 41% compared to 2022.

Notably enough, The Retail and Consumer Packaged Goods (CPG) industries experienced an 88% jump in QR Code creation in 2023. This is echoed in a December 2022 survey report from Pymnts, wherein many retailers believe that tech-enabled in-store features determine loyalty, with 81% pointing at the ability to use QR code scanner apps to check prices and inventory, and 51% highlighting self- service kiosks.

That pushes us to confront the bigger fear. Apart from harming the users, the ripple effect of these scams can be massive. They can jeopardise merchants and the digital commerce ecosystem. A landscape that is in full blossom now in India with Unified Payments Interface (UPI), Open Network for Digital Commerce (ONDC), digital currencies and other fast-growing digital interfaces.

“Combating QR code scams is a collective effort. Users, industry stakeholders, and regulatory bodies must collaborate to establish a safer digital environment.”- Maheswaran S, Country Manager – South Asia, Varonis

Srivastava affirms that QR code scams present a significant threat to merchants and the digital commerce ecosystem. “These scams can result in substantial financial losses, affecting both merchants and their customers through fraudulent transactions and chargebacks. Furthermore, they have the potential to damage a merchant’s reputation, erode customer trust, and deter users from engaging in online transactions. Regulatory consequences may also come into play, as lax security practices can lead to fines and legal issues. Additionally, these scams can disrupt operations as resources are redirected to address security breaches and compensate affected customers.”

In India’s dynamic digital transaction landscape, there has been a concerning upswing in QR code scams, Maheswaran S, Country Manager – South Asia, Varonis also puts forth. “Recent reports indicate a notable surge in such incidents over the past couple of months, with hundreds of cases reported across the country. Furthermore, an extensive study revealed that from 2017 till 31 May 2023, Bengaluru alone witnessed approximately 20,662 cases, accounting for 41% of total cases related to QR codes, malicious links, and debit or credit card frauds.”

As Henein dissects, this attack weakens the impact of a merchant’s campaign because potential prospects are being redirected to the attacker’s site and once the attack is discovered by the individual, there is a residual distrust that has a market-wide impact. “The victim is not likely to share their data with any such campaign thereafter.”

HOW TO BE BEAT THE PIRATES?

When you are on a ship, the best way to fight pirates is to have someone on the deck watching for them all the time. One has no choice but to be extra alert and equipped and not careless or lazy.

The same formula applies to digital oceans too.

Doshi suggests that to avoid QR code scams, users have to be more alert and wary of their online transactions. “Some useful tips come in handy in these times. Never share your bank account details or UPI ID. Never scan any QR code to receive money. QR codes do the opposite. It is used for sending money. Also, while scanning any QR code, always check the details like the recipient’s name, account number or IFSC code. There are also apps available today which can detect fraudulent websites and QR codes. Never share your OTP with anyone. Also, try not to share your mobile number when not needed.”

Individuals should not use QR codes posted in public or provided through untrusted channels, reminds Henein. “They could be easily manipulated to send the user to a compromised site where their data could be stolen or where they could be exposed to malware. If an individual wants to avail themselves of an offer, they are better off ‘Googling it’ and the nature of search engine optimisation makes it highly unlikely that the attacker’s site will be featured on the first few pages of the search results.

Regardless of the attacker’s motivations, users are strongly advised to exercise caution in their online activities, Srivastava recommends. “This includes verifying the authenticity of received emails, refraining from opening suspicious attachments or links and abstaining from entering their credentials on unfamiliar websites. When dealing with QR codes, it is imperative to authenticate the source and legitimacy of the sender’s credentials before scanning the code. Instead of clicking on received links, users should navigate directly to the official website of the vendor for any transactions. Additionally, users can employ the practice of hovering over links to identify any unusual or suspicious URLs.

To counter this evolving threat, it is of utmost importance to prioritise public awareness and education, underlines Maheswaran. “Initiatives aimed at educating citizens on secure QR code practices and the necessity of source verification before scanning are crucial. Additionally, the development of robust cybersecurity measures, such as two-factor authentication and secure payment applications, is essential to safeguard users. Policymakers should contemplate regulatory interventions to deter scammers and ensure accountability.

Apart from exercising user caution, businesses like OLX or other e-commerce websites where most of these scams are happening should deploy robust cybersecurity solutions which can detect fraudulent activities, Doshi stresses.

Organisations should also take the initiative to educate their users on recognising and avoiding malicious email attachments and links, as this awareness is a critical defence against QR code scams and other cyber threats, insists Srivastava.

Combating QR code scams is a collective effort, as Maheswaran S sums up well. “Users, industry stakeholders, and regulatory bodies have to collaborate to establish a safer digital environment for all citizens.”

It will take time and many steps. One sparrow does not make a summer. Well, notwithstanding a Jack Sparrow.

By Pratima Harigunani

pratimah@cybermedia.co.in