As QR codes continue to be heavily used by legitimate organizations—from Super Bowl advertisements to enforcing parking fees and fines, scammers have crept in to abuse the very technology for their nefarious purposes.
A woman in Singapore reportedly lost $20,000 after using a QR code to fill out a “survey” at a bubble tea shop, whereas cases of fake car parking citations with QR codes targeting drivers have been observed in the U.S. and the U.K.
Striking while you’re asleep
A Singapore-based woman lost $20,000 to an stealthy scam after visiting a bubble tea shop.
The 60-year old woman who has not been named, saw a sticker on the bubble tea shop’s glass door encouraging visitors to scan a QR code and fill out a survey for a “free cup of milk tea.”
To an average person and even fairly technically savvy one, this alone may not raise red flags considering loyalty and rewards programs often tout such offers, and use QR codes to do so.
“Enticed by what seemed like a good deal, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app onto her Android phone to complete the ‘survey,'” reports Straits Times.
As she went to bed at night, her phone suddenly lit up. The bogus “survey” app she’d downloaded siphoned out $20,000 from her bank account.
Mr. Beaver Chua, head of anti-fraud at OCBC Bank’s group financial crime compliance department, who relayed the news of the victim to local media calls the scam particularly “insidious.”
“This scam is so insidious because scammers take over the victim’s phone. And because victims lose control of their Internet banking account, they won’t even know when their savings have been completely wiped out,” says Mr. Chua.
Of note is the fact that the particular malware app downloaded by the victim asks the user to grant access to the phone’s microphone and camera, in addition to Android Accessibility Service, an Android functionality to assist users with special needs, that also lets an app control the phone screen.
The scammer then passively monitors the victim’s mobile banking app usage and notes down any login credentials entered by the user during the day.
All of the aforementioned permissions, when acquired, then make it a breeze for the threat actors to spy on their victim and wait for just the right moment—such as at bedtime, when they can conduct their malicious activities while going unnoticed.
“While malware scams are not particularly new, scammers are getting increasingly innovative,” says Mr. Chua.
“Besides website pop-up banners, which are most common, pasting bogus QR codes outside F&B establishments is another cunning way to hook victims as consumers may not be able to differentiate between legitimate and malicious QR codes.”
Last year, the Singapore Police Force warned citizens of crooks misusing the Singpass digital identity system that uses QR codes. Fraudsters would ask victims to complete bogus surveys and then scan a Singpass QR code via the official Singpass app, as a part of the “verification process” before the victims could redeem monetary rewards.
“However, the Singpass QR code provided by the scammers was a screenshot taken from a legitimate website, and by scanning the QR code and authorising the transaction without further checks, victims unintentionally gave the perpetrators access to certain online services,” states the police warning.
Fake parking tickets and QR codes
Meanwhile, cases of scammers leaving fake parking tickets on drivers’ windshields have been observed across the US and UK.
Last week, a Reddit user spotted fake parking ticket claiming to have been issued from San Francisco’s city government.
“I know everyone hates getting citations in San Francisco. Scammers are getting more BOLD!! Issuing fake parking citations!! FYI: parking in SF is regulated by SFMTA, it will never have a city logo on a citation !! Please watch out , if you received one like this , toss it out because the QR code links to your bank account,” warns the user, who has shared the picture of the fake citation:
Interestingly, the ticket seen on or before May 4th was dated in the future (May 5th) which would raise red flags.
The QR code in the above image leads to a now-disabled URL shortener link: hxxps://qr.link/g43phs
The link purportedly further redirects the visitor to to hxxps://sfmta-project.vercel.app, an illicit website that copies the look and feel of the official SFMTA (San Francisco Municipal Transportation Agency) website to appear more convincing.
KRON4, a San Francisco-based TV Channel that confirmed with SFMTA that the citation was fake, explained [1, 2] how the copycat website setup by threat actors (on the left) looks nearly identical to the real website (on the right).
Netizens were also quick to observe that the fake website used Square’s web payments form to process fraudulent transactions. The illicit domains in question and the Square account have since been disabled.
“Second time we’ve seen this. Last time it was malicious QR codes on parking meters in Texas,” wrote journalist Kim Zetter, referring to the particular scam.
“This time thieves in San Fran are leaving fake parking tickets on cars w/ malicious QR codes that, when scanned, take mobile phones to a fake web site to pay fine.”
When in doubt, customers should verify a parking citation or legal correspondence on the official websites of the government bodies. For example, SFMTA has a dedicated webpage on its city website to look up citations and fines issued by the agency.
Ironically, the real SFMTA webpage ultimately leads the user to its parking citations portal hosted on a third-party domain: wmq.etimspayments.com, which does not necessarily make it any more distinguishable from an illicit website setup by a threat actor.
UK local governments, including Isle of Wight Council, have also been cautioning residents to beware of QR codes they find that may be disguised as “quick pay” parking meter option.
“People scan the code and enter their credit card information thinking they are paying for the space, but instead, it directs them to a fake website where scammers capture their payment details,” explains the notice.
“A motorist recently had money taken from their bank account after trying to pay for parking in Sandown using a false QR code stuck to the machine. They were later made aware of the fraud by their credit card company.”
The council has since taken steps to check parking meters for any fraudulent QR placed around them and states that its machines do not currently offer payments via QR codes.