What The Tech : Malicious QR Codes

Midrina Tucker,

CHARLOTTTE , N.C. -There was a time when many people didn’t know what to do when they saw a QR code somewhere. Now that they’re being used for everything from bus schedules to payment options to reading a menu at a restaurant, we just scan them and trust that they’re doing what they claim.

But the FBI and now the FTC is warning people that some QR codes are being used by cybercriminals to steal payment information and even take over smartphones.

QR stands for ‘quick response’. And if you’ve ever scanned one you know just how fast they can take you to a website or payment platform. You may not that a bad guy can create a malicious QR code in about the same amount of time it takes you to scan it.

The latest warning from the FTC says it’s found incidents of cyber criminals creating QR codes that send victims to fake websites and stealing login information. For example, if someone scans a code at a restaurant thinking they’re going to a site where they can pay for a meal, the website they get is set up by the criminal. If the victim enters their credit card information, the bad guys get it.

How easy is it to create a malicious code? As simple as this: find a free QR code generator online. Enter what you want the code to do and print it out. No other information or know-how is needed. You can even find instructions on how to create malicious websites with a simple Google search.

I created a QR code in a matter of seconds that led to a link to my blog. I then printed it out on my home printer. It would be just as simple to print a malicious code on pages of stickers I could place everywhere.

The FBI and FTC say it has found incidents where the bad guys print out their QR Codes on a sticker and place that sticker over a legitimate QR code in restaurants and businesses.

To protect yourself, never enter sensitive information into a website after scanning a QR Code. Make sure the code isn’t printed on a sticker. When scanning a QR Code, ensure the URL is taking you to the legitimate website, a pop-up should appear on your phone showing where the link takes you.

And do not download a free QR code scanning app, use your camera instead. In Austin, Texas police report over a dozen malicious QR codes were found on parking lot kiosks with stickers leading people to pay for parking through a link to a website.