The Federal Bureau of Investigation (FBI) warned Americans this week that cybercriminals are using maliciously crafted quick response (QR) codes to steal their credentials and financial information.
The warning was issued in the form of a public service announcement (PSA) posted on the Bureau’s Internet Crime Complaint Center (IC3) earlier this week.
“Cybercriminals tamper with QR codes to redirect victims to malicious sites that steal login and financial information,” the federal law enforcement agency said.
The FBI said scammers are changing legitimate QR codes used by businesses for payment purposes to redirect potential victims to malicious websites designed to steal their personal and financial information, install malware on their devices, or hijack their payments to accounts under their control.
After victims scan what look like legitimate codes, they are sent to the attackers’ phishing sites, where they are asked to enter their login details and financial information. Once entered, it is sent to cyber criminals who can use it to steal money using hacked bank accounts.
“Although QR codes are not malicious in nature, it is important to exercise caution when entering financial information as well as when paying through a site accessible via a QR code,” the FBI said. added. “Law enforcement cannot guarantee the recovery of lost funds after the transfer.”
Be careful when scanning QR codes
The FBI has advised Americans to pay attention to the URL sent to them after scanning QR codes, to always be careful when entering their data after scanning a QR code, and to ensure that codes Physical QRs were not covered with malicious codes.
You should also avoid installing apps via QR codes or installing QR code scanners (use the one that comes with your phone’s operating system instead).
Finally, always enter URLs by hand when making payments instead of scanning a QR code which could be set to redirect you to malicious sites.
The FBI released another public service announcement focusing on QR code risks in November, alerting people that victims of various fraud schemes are increasingly being asked by criminals to use QR codes and ATMs. cryptocurrency machines to hamper efforts to recover their financial losses.
As evidenced by a recent phishing campaign targeting German online banking users, threat actors are using QR codes instead of buttons in spam emails to make their attacks harder for security software to detect and successfully redirect victims to phishing sites.
Victims successfully redirected to phishing landing pages were prompted to enter their bank location, passcode, usernames, and PINs.