Story image

Malaysians urged to use caution when scanning QR codes

01 Feb 2018

As QR code readers are becoming popular in Malaysia through the likes of WeChatPay and Alipay eWallets, Quann Malaysia is warning that scammers have quickly caught up.

The company says that scammers have now started using fake quick response (QR) codes to steal both data and money from people.

QR codes are used across the web and in restaurants, advertisements, retail outlets and other locations to provide information about a business.

They are also being used in Malaysia’s online payment ecosystem for retail consumers, however Quann Malaysia general manager Ivan Wen says that attackers are quickly using QR codes for their own purposes.

“There’s a rising number of cases where criminals have been sticking their own codes over a business’ original one to steal the scanner’s data or access the scanner’s smartphone to tap into their bank account.”

Because it is often difficult to tell original and malicious QR codes apart, Wen warns that businesses should check to make sure malicious codes are not on their websites or merchandise.

Wen says that QR codes are a normal method of mobile payment in China’s Guangdong province, however one case involved the theft of approximately RM55 million through restaurant scams.

The People’s Bank of China has since started regulating QR code daily spending limits and it requires all payment vendors to gain a licence before offering QR payment facilities to customers.

“As more mobile payment platforms look to enter the Malaysian market, it is important that users and merchants both exercise the necessary precautions to ensure both parties do not lose money or data to similar scams,” Wen adds. 

In restaurants, QR codes are not regularly changed, allowing attackers to take control. Those codes can also be used to infect mobile devices with viruses that can allow criminals to steal money from a mobile wallet, or can infect the device with ransomware.

Scammers can also replace genuine QR codes with malicious ones that direct victims to malicious websites. If users enter personal information, it can be used as part of phishing emails laden with malware.

“The impact of mobile malware could be devastating as the hacker can access your private information as well as your phones camera to spy on you. We advise users to be cautious when scanning QR codes,” Wen says.

Although there is often no way to tell between a genuine and fake QR code, Quann offers the following tips:

· Before scanning a QR code, observe the collateral for any signs of tampering such as a sticker placed on a printed menu or pamphlet

· Look out for pixelated images and logo as well as spelling mistakes to identify fake collaterals 

· Use a secure QR code scanner that can flag malicious websites and show the actual URL before scanning the code 

· Do not key in any personal information after scanning a QR code 

· Be wary about scanning a code in public places, like transportation depots, bus stops or city centres even if it’s on a printed poster.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.