May 09, 2023 12:00:00

A case where a smartphone was hijacked and a bank deposit was stolen by reading a skillfully disguised QR code

QR codes are convenient because they allow you to access websites simply by holding them in your smartphone's camera, and you can easily buy things with QR code payments, but there is also the danger of misuse. Two cases of casually scanning a QR code leading to the loss of bank deposits have been reported in rapid succession from Asia, Europe and the United States.

Woman who scanned QR code with malware lost $20k to bubble tea survey scam while she was sleeping |

https://www.straitstimes.com/singapore/woman-who-scanned-qr-code-with-malware-lost-20k-to-bubble-tea-survey-scam-while-she-was-sleeping

SF parking ticket scam going around in city: Here's what to look out for
https://www.kron4.com/news/bay-area/sf-parking-ticket-scam-going-around-in-city-heres-what-to-look-out-for/

QR codes used in fake parking tickets, surveys to steal your money
https://www.bleepingcomputer.com/news/security/qr-codes-used-in-fake-parking-tickets-surveys-to-steal-your-money/

The first case is the damage of a Singaporean woman who was stolen $ 20,000 (about 2.7 million yen) by stealth fraud by stopping by a bubble tea shop.

This woman was attracted by the phrase ``Scan the QR code and answer the questionnaire and get a free cup of tapioca tea'' on the glass door of the shop. answered.

However, it turned out that the survey app was fake, and that night, when the woman went to bed to go to sleep, her smartphone screen suddenly lit up and the fake app stole $20,000 from her bank account.

Beaver Chua, head of fraud prevention for financial crime compliance at Oversea Chinese Bank, a regional bank in Singapore, told local newspaper The Straits Times, 'Malware scams are not new per se, but scammers are becoming more and more innovative, and consumers may not be able to tell the difference between legitimate QR codes and malicious QR codes, so sticking QR codes outside restaurants is a clever practice. I can say that,' he said.

If you read such a malicious QR code, a malware application will be installed on your smartphone first. The app asks the user to allow access to the smartphone's microphone and camera. We may also control your screen through Android

accessibility features .

After the smartphone is hijacked, the scammer waits for the victim to use internet banking to read the login information. After that, the victim's behavior pattern is monitored while looking at the smartphone camera, security such as face recognition function is disabled while sleeping, and the bank account is invaded and the deposit is stolen.

Yeo Siang Tiong, general manager of South East Asia at security firm Kaspersky, said businesses should be wary of promotional stickers and QR codes unknowingly posted on their premises. 'If the QR code has been tampered with or looks suspicious, please consider consulting with the store,' he said.

In the United States and the United Kingdom, on the other hand, scams that stick fake parking tickets on car windshields are rampant. For example, on Reddit, a bulletin board-type social news site, the following QR code fraud was reported.

scam, u/hamsupchoi in san francisco
fake parking ticket PSA by

This parking ticket has the city of San Francisco logo on it, but it's actually a fake. However, when you read the QR code, a shortened URL is displayed, and then you are redirected to a fake site (left) that looks exactly like the real San Francisco Municipal Transportation Authority official site (right), so it is difficult to notice the fraud.

by KRON4

According to San Francisco TV station KRON4, which reported this fraud, the fake site has a link to a fine payment page, and when accessed, it is requested to enter the parking ticket number. However, no matter what number you enter, the result is the same, a link to the payment service Square is displayed and you are asked to pay $ 60 (about 8000 yen). After the issue came to light, the fake site's domain and Square account were disabled.

Kim Zetter, a journalist familiar with cybersecurity, told IT news site Bleeping Computer, ``This is the second time I've seen such a scam. In this San Francisco case, scammers stuck a fake parking ticket in the victim's car, scanned the malicious QR code, and directed the victim to a fake website to pay a fine. I will.”

Luckily for criminals, the real San Francisco Department of Transportation also uses a fine payment site hosted on a third-party domain, making it even more difficult to distinguish from fake sites set up by threat actors. increase.

QR code fraud using fake parking tickets has also occurred in the UK. The Isle of Wight Council, which is responsible for the administration of the Isle of Wight in southern England, said on its official website , ``A person who tried to pay for parking with a fake QR code affixed to a machine in a parking lot and withdrew money from his bank account. There is,' and called attention.

At the time of writing, the Isle of Wight parking lot does not offer QR code payment. Following the outbreak of fraud, the Isle of Wight has taken steps to check for suspicious QR codes pasted around parking meters.