Threat actors are targeting everyone from job hunters to Bitcoin traders to college students wanting a break on their student loans, by exploiting the popular technology’s trust relationship with users.
With the use of QR codes rising, so, too, are the numbers of scams that aim to take advantage of them. Researchers warned that threat actors are going so far as to send potential victims to gas stations to use Bitcoin ATMs in their endeavors to exploit the technology.
The Better Business Bureau (BBB) also warned recently that consumers should watch out for a growing list of scams using QR codes — which are appearing everywhere these days as a simple and contactless way to share information.
QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants, and have gained in popularity over the pandemic as contactless interactions have become the norm. Simply navigating a smartphone camera over the image allows the device’s QR translator – built into most mobile phones – to “read” the code and open a corresponding website.
This simplicity of use is exactly what makes them so attractive for scammers; the very nature of the technology has already set up a trust relationship with its user, researchers from Malwarebytes Labs pointed out. Most of these scams begin with someone receiving an email, a direct message on social media, a text message, a flyer or a piece of mail that includes a QR code, and proceed from there. Once the person scans the code with their mobile device, they’re taken to a malicious website.
“The problem with QR codes stems from how easy they are to use,” they wrote in a report published Tuesday about the growing number of QR code scams. “Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.”
Scams Run the Gamut
The BBB in its advisory, posted late last month, outlined a range of different potential QR code scams for which people should be on the lookout. If someone takes the bait and scans the code, in some cases the QR code will take them to a phishing website and prompt them to enter personal info or login credentials. In other cases, the codes are used to to automatically launch payment apps or follow a malicious social-media account, and the scammer will take advantage of the unsuspecting victim in these scenarios.
While the scams reported to the BBB — which keeps a running list via a Scam Tracker posted online for consumer awareness — “differ greatly,” they are dependent on the potential victim scanning the QR code quickly, without thinking too much about it, the bureau said. This way, a person lacks the time to identify a scam that with some examination would appear suspect.
Bitcoin ATM Fraud
Researchers from Malwarebytes analyzed a few of the campaigns, noting a somewhat bizarre trend among scammers to send potential victims to gas stations to use Bitcoin ATMs. The threat actors use the victims as “money mules” to launder “dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM,” they wrote.
Researchers describe one such attack that they found “shocking,” involving someone seeking a virtual job at a new organization who uploaded a resume to a job-hunt website.
“The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual,” they described in the post. “They sent their supposed new employers a copy of their driving license and other personal information.”
The victim was then sent $5,000 to ‘purchase equipment’ for their job, and instructed to send most of the funds back to the “software vendor’s” Bitcoin address via a gas station ATM, researchers wrote.
The victim received the “cold shoulder” from the people who had arranged the deal, soon after the transfer was made. Though no one was cheated out of any money in the scam, the victim “did lose an awful lot of time, and experienced what must have been a lot of stress,” Malwarebytes researchers noted.
source : https://threatpost.com/qr-code-scammers-bitcoin-atms/168621/