Story image

Malaysians urged to use caution when scanning QR codes

01 Feb 18

As QR code readers are becoming popular in Malaysia through the likes of WeChatPay and Alipay eWallets, Quann Malaysia is warning that scammers have quickly caught up.

The company says that scammers have now started using fake quick response (QR) codes to steal both data and money from people.

QR codes are used across the web and in restaurants, advertisements, retail outlets and other locations to provide information about a business.

They are also being used in Malaysia’s online payment ecosystem for retail consumers, however Quann Malaysia general manager Ivan Wen says that attackers are quickly using QR codes for their own purposes.

“There’s a rising number of cases where criminals have been sticking their own codes over a business’ original one to steal the scanner’s data or access the scanner’s smartphone to tap into their bank account.”

Because it is often difficult to tell original and malicious QR codes apart, Wen warns that businesses should check to make sure malicious codes are not on their websites or merchandise.

Wen says that QR codes are a normal method of mobile payment in China’s Guangdong province, however one case involved the theft of approximately RM55 million through restaurant scams.

The People’s Bank of China has since started regulating QR code daily spending limits and it requires all payment vendors to gain a licence before offering QR payment facilities to customers.

“As more mobile payment platforms look to enter the Malaysian market, it is important that users and merchants both exercise the necessary precautions to ensure both parties do not lose money or data to similar scams,” Wen adds. 

In restaurants, QR codes are not regularly changed, allowing attackers to take control. Those codes can also be used to infect mobile devices with viruses that can allow criminals to steal money from a mobile wallet, or can infect the device with ransomware.

Scammers can also replace genuine QR codes with malicious ones that direct victims to malicious websites. If users enter personal information, it can be used as part of phishing emails laden with malware.

“The impact of mobile malware could be devastating as the hacker can access your private information as well as your phones camera to spy on you. We advise users to be cautious when scanning QR codes,” Wen says.

Although there is often no way to tell between a genuine and fake QR code, Quann offers the following tips:

· Before scanning a QR code, observe the collateral for any signs of tampering such as a sticker placed on a printed menu or pamphlet

· Look out for pixelated images and logo as well as spelling mistakes to identify fake collaterals 

· Use a secure QR code scanner that can flag malicious websites and show the actual URL before scanning the code 

· Do not key in any personal information after scanning a QR code 

· Be wary about scanning a code in public places, like transportation depots, bus stops or city centres even if it’s on a printed poster.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.