‘Qrishing’ is one of those scam techniques that has everything to be a real problem. As we can anticipate from its name, we are dealing with a variant of phishing based on QR codes. As simple as deceiving ourselves with Fake QR codes, which refer us to a malicious website. Instead of a fake email or SMS, we have a QR code.
The aggravating factor of Qrishing is that it takes advantage of our use of QRs. We normally scan these codes to access a restaurant’s menu or download an application. Everything from your mobile camera and in a simple way. The problem is that in this process we usually download and install things, in addition to sometimes registering with our data or even paying through this QR. And this is where we run the risk of being deceived.
We saw an example last year with the BiciMAD QR codes. When going to get a bike from the Madrid bicycle service there was something strange. They had placed a fake QR-shaped sticker on top of the originall. The problem is that if a person scanned it, they were taken to a fake payment platform. The solution is to scan this code with the official application, because if it is done from outside with any common QR reader, it will direct you to that fake page.
Madrid is not the only city where the bicycle service has been attacked through Qrishing. In Amsterdam they have also encountered this problem. It is easy to detect if we look closely, but many times the rush to take this method of transportation can cause us to fall.
The Qrishing was alerted by INCIBE in September of last year, classifying it as high importance. One of the added risks is that this scam works even with double authentication factor, since “by scanning the QR code, cybercriminals manage to the victim’s address may appear already filled out on the form“.
The tips that they give from the Cybersecurity Institute and the Bank of Spain To avoid Qrishing are the following:
- Do not scan QR codes without being sure of their origin and purpose.
- Check that the QR code is not a sticker placed over the original QR.
- Activate the function of previewing the URL to which you redirect before accessing it.
- Be suspicious if the URL does not belong to the domain of the company or service.
- Make use of link analyzers, such as VirusTotal.
- Be suspicious if it requests to download a file, especially if it is .apk.
- If in doubt, never provide personal or banking information.
- Keep device protection tools activated and updated.
Although this scam is still not as common as phishing by email or SMS, its growth is notable. According to a Barracuda firm reportdetected 740 Qrishing attacks per day in June and 1,100 per day in August. As stated from ITBrewdifferent cybersecurity reports from firms such as Reliaquest either Abnormal Security they point to increases of 51% from one year to the next.
As with ‘Juice jacking’ and public USB ports, we must also be very careful with QR codes. Qrishing is one of the latest forms of phishing that is being used and there are likely to be cases in which it is very difficult to differentiate a valid QR code from a fake one.
Image | Marielle Ursua
In Xataka | How to create your personalized QR by choosing its appearance or adding a logo
Add Comment