The Problem with QR Codes

QR codes have become an easy way for companies to promote themselves – now that everyone carries a barcode scanner in their pocket (their smartphone) why not take advantage of this to better connect with customers?

Well…. because it can also be a cybersecurity nightmare.

Cryptocurrency platform Coinbase recently made headlines by using their Super Bowl half-time advert to advertise themselves with a bouncing QR code that users could scan live from their sofas. As many pointed out, this is literally the equivalent of clicking a blind link in an email from an unknown sender – with users unlikely to have checked where the link will take them, or what information they’re handing over when they get there.

Worse still, even if a company’s own QR codes are harmless, it’s very easy to generate imitations online that are not – leveraging a larger company’s advertising as a way to scam users.

QR codes can all too easily be planted by third-parties as a way of tricking the unsuspecting – in particular, you need to be wary of the following scams:

 

Parking Meters
– A fake parking meter QR code, stuck as a label, acts in a similar fashion to phishing emails and the carding-devices cybercriminals have famously used on ATMs to steal card details. By re-directing the user to a fake payment portal to pay their parking, this catches those who might otherwise be a rush. See also: fake parking penalty tickets.

 

qr code phone call

SMS/Phone Codes
– QR codes are generally used from smartphones with calling and SMS sending abilities, so it’s possible to prompt the user to send a text message to a number. Handy for business, certainly, but risky if the user doesn’t realise they’re calling or texting a premium number.

 

qr code tweet

Social Media Share
– Scan here to automatically tweet a link from @Lineal! Unfortunately that link is easily manipulated, causing the scanner to potentially become part of further phishing attempts on their own twitter followers.

 

Connecting to Wi-Fi
– In public spaces, many businesses will prompt users to join their free Wi-Fi via QR code. Clever and convenient, but obviously easy to use as a mechanism for a man-in-the-middle attack by those whose fake Wi-Fi network is simply a trap set for the unsuspecting user who’s just trying to access their email in a coffee shop, airport or hotel.

 

Guidance:

Think before you click – does the QR code match the rest of their branding? Where does the link preview point to? Is there anybody/anywhere you can double-check?

Use a Password Manager – although you might not spot a fake website URL, a password manager that normally autofills only a password on specific sites will recognise the fake immediately.

Assuming the device doesn’t sit within the container of a firewall that’s likely to detect threats as you browse the web, companies issuing work mobiles & tablets need to also extend endpoint security software to those devices – the same way you might a work laptop for those working on the move.

Most importantly, users need to be regularly educated on the importance of recognising phishing scams with organised training – to build personal resilience that extends to whatever device they happen to be using.

 

For Cybersecurity expertise and support, contact Lineal today.


Fake DVLA Emails: Tracing a Trojan Scam

Continuing our recent series on email phishing trickery including fake invoices and Apple ID theft, this week we discovered a new scam involving a fake communication claiming to be from the Driver & Vehicle Licensing Agency (DVLA).

You haven’t sent them your vehicle details: but never fear, enter them below and avoid a hefty ‘1000 GBP’ fine. Never mind that your garage should have organised a V5 document for you, just click the link and type in your details. This couldn’t be a scam? Right?

We set Lineal’s security trainee Lewis on the fake DVLA emails case – who found that the email links to a private (non Gov.uk) web-page with a extensive bit of PHP code running in the background. A classic Trojan, this webpage invited you to download your casefile – and likely something dangerous along with it.

trojan

Despite poor grammar, the format matched a GOV.UK page quite closely and the ‘official’ nature of the styling might easily have tricked unsuspecting motorists.

Avoiding the page itself, Lewis completed an HTTPS lookup on the domain hosting the fake web page – but found two servers running the same scam. The email itself appeared to be routed via the USA, in an effort to mask the attacker(s) identity.

Tracing both IPs seperately led back to the same address in Germany, registered under two different names which could either be part of an organisation (or more likely) both assumed identities stolen from others fallen victim to the scam.

German privacy law prevents Google StreetView from being completed across most of the country, so an aerial view of an unknown industrial building on the outskirts of Lippstadt was a close as we could get to sourcing the suspicious email itself.

Clearly a sophisticated operation, fake DVLA emails like this highlight the growing technical ability of online scammers and the need for solid IT security precautions.

 

For IT Security advice and support, contact Lineal today: 01271 375999


Fake Invoices – Don’t enable document malware!

fake invoices

This week’s IT security alert from Lineal – fake invoices which ask users to run a dangerous piece of code.

The example above comes from a fake Word document emailed with a typical text line, such as ‘Please check this invoice’ or ‘Double check my numbers for me’, to an unsuspecting user.

Upon opening, the document appears to load a popup from Office 2016 prompting the user to ‘Enable Content’ for compatibility purposes, before they can view the detail of the ‘invoice.’

In fact, the display is just an image within the word file, and the ‘Enable Content’ content button instead runs a piece of Visual Basic code downloading unknown malware from the internet.

The scam relies on users’ curiosity at the unusual $1999.00 charge, and upon reaching a user still running an outdated version of Microsoft Office.

 

Several measures can be taken to prevent this kind of attack:

  • Don’t click any popup that doesn’t visibly pop ‘open’ in Microsoft and don’t ‘Enable Content’ you can’t see in a document.
  • Consider an email filtering service like Barracuda – in the above example, Barracuda had recognised this email as malicious and stripped the code from the document before placing it in the correct email inbox for the intended recipient.

 

For IT Security advice and guidance – speak to Lineal today.