As QR codes continue to be widely used by legitimate organizations, from Super Bowl ads to enforcement of parking fees and fines, scammers have crept in to misuse the technology even for their nefarious purposes.

A woman in Singapore is said to have lost $20,000 after using a QR code to complete a ‘survey’ at a bubble tea shop, as cases of fake parking citations with QR codes targeting drivers have been seen in the states United States and United Kingdom.

Knock while you sleep

A Singapore-based woman has lost $20,000 to a stealth scam after visiting a bubble tea shop.

The unnamed 60-year-old saw a sticker on the glass door of the bubble tea shop encouraging visitors to scan a QR code and complete a survey for a “free cup of milk tea”.

For the average and even fairly technically savvy person, this alone may not raise any red flags given that loyalty and rewards programs often tout such offers and use QR codes to do so.

Seduced by what seemed like a bargain, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app to her Android phone to take the ‘survey’. reports Straits time.

As she was going to bed at night, her phone suddenly turned on. The bogus “survey” app she had downloaded embezzled $20,000 from her bank account.

Mr Beaver Chua, head of fraud in the financial crime compliance department at OCBC Bank Group, who relayed the news of the victim to local media, described the scam as particularly “insidious”.

“This scam is so insidious because the scammers take the victim’s phone. And because the victims lose control of their internet banking account, they won’t even know when their savings have been completely wiped out,” Chua says. .

It should be noted that the malicious application downloaded by the victim asks the user to allow access to the microphone and the camera of the phone, in addition to Android Accessibility Servicean Android feature to help users with special needs, which also allows an app to control the phone screen.

The scammer then passively monitors the use of the victim’s mobile banking app and logs all login credentials entered by the user during the day.

All the above-mentioned permissions, once acquired, allow hackers to spy on their victim and wait for the right time, such as bedtime, when they can carry out their malicious activities unnoticed.

“While malware scams aren’t particularly new, scammers are becoming more and more innovative,” Chua says.

“Besides website pop-up banners, which are the most common, sticking fake QR codes outside food establishments is another clever way to lure victims, as consumers may not be able to make the difference between legitimate and malicious QR codes.”

Last year, Singapore police warned citizens to scammers misusing the Singpass digital identity system that uses QR codes. Fraudsters would ask victims to complete fake surveys and then scan a Singpass QR code through the official Singpass app, as part of the “verification process” before victims can redeem monetary rewards.

“However, the Singpass QR code provided by the crooks was a screenshot taken from a legitimate website, and by scanning the QR code and authorizing the transaction without further verification, the victims unwittingly gave the perpetrators the ‘access to certain online services,’ the police warning states. .

Fake parking tickets and QR codes

Meanwhile, cases of scammers leaving fake parking tickets on drivers’ windscreens have been seen in the US and UK.

Last week, a Reddit user spotted fake parking ticket claiming to be issued by the San Francisco city government.

“I know everyone hates getting citations in San Francisco. The scammers are getting BOLDIER!! Issuing fake parking citations!! FYI: parking in SF is regulated by the SFMTA, there is no will ever have a city logo on a quote!! Please be careful, if you received one like this, throw it away because the QR code links to your bank account,” warns the user, who shared the photo fake quote:

Interestingly, the post seen on or before May 4 was dated in the future (May 5), which would trigger some red flags.

The QR code in the image above leads to a now disabled URL shortener link: hxxps://qr.link/g43phs

The link allegedly redirects the visitor to hxxps://sfmta-project.vercel.app, a illicit website that copies the appearance of the official SFMTA (San Francisco Municipal Transportation Agency) website to appear more convincing.

KRON4, a San Francisco-based television station that confirmed with SFMTA that the quote was false, explained [1, 2] how the threat actors’ configuration of the impersonator website (left) is almost identical to the real website (right).

Netizens were also quick to observe that the fake website was using Square’s web payment form to process fraudulent transactions. The infringing domains in question and the Square account have since been deactivated.

“Second time we’ve seen this. Last time it was malicious QR codes on parking meters in Texas,” writing reporter Kim Zetter, referring to the particular scam.

“This time, thieves in San Francisco are leaving fake parking tickets on cars with malicious QR codes that, when scanned, take cellphones to a fake website to pay a fine.”

If in doubt, customers should check a parking citation or legal correspondence on the official websites of government agencies. For example, SFMTA has a dedicated webpage on his city’s website to view citations and fines issued by the agency.

Ironically, the real SFMTA web page ultimately leads the user to his parking quotes portal hosted on a third-party domain: wmq.etimspayments.com, which does not necessarily make it any more distinct from a malicious website created by a malicious actor.

UK local governments, including the Isle of Wight council, have also been warn residents to be wary of any QR codes they find that may be disguised as a “quick pay” parking meter option.

“People scan the code and enter their credit card information thinking they are paying for the space, but instead it directs them to a fake website where scammers capture their payment details,” says the lender. ‘notice.

“A motorist recently had money withdrawn from his bank account after he attempted to pay to park at Sandown using a fake QR code taped to the machine. He was later made aware of the fraud by his credit card company.”

The council has since taken steps to check parking meters for any fraudulent QRs placed around them and says its machines do not currently offer payments via QR codes.