Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Banks and Regulators Warn of Rise in 'Quishing' QR Code Scams 56

Banks and regulators are warning that QR code phishing scams -- also known as "quishing" -- are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. From a report: Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.

The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.
This discussion has been archived. No new comments can be posted.

Banks and Regulators Warn of Rise in 'Quishing' QR Code Scams

Comments Filter:
  • by Chris Mattern ( 191822 ) on Monday October 28, 2024 @09:56AM (#64899763)

    "Here's a incompletely human-incomprehensible piece of data designed to encode something that you have no idea what it'll do other than what we tell you. It'll be fine, trust us."

    • by pjt33 ( 739471 )

      And how is that different from a hyperlink [example.com]?

      • A hyperlink [goatse.cx] has at least the potential to be confirmed as something safe and familiar.

        • If a QR code is just an embedded address it is just an html link that could be shown to the user BEFORE loading and ask 'does this look right to you?' 'Are you sure'?

          It's just another link scam except not in email. Hmph.

          If you are over 13 why are you trusting anything digital anymore?
          • "If a QR code is just an embedded address it is just an html link that could be shown to the user BEFORE loading and ask 'does this look right to you?' 'Are you sure'?"

            Yes, you can decode the QR contents first and see what it is. But it's an extraneous fiddly step much more inconvenient than simply mousing over a hyperlink to see its destination displayed.

            • by Tx ( 96709 )

              I don't know what y'all are using, but Google Lens shows you the URL automatically when you point it at a QR code that encodes a link, you can the choose whether or not to visit it, so I would say pretty equivalent experience to using a hyperlink.

          • A QR code can be anything.
            A picture of your baby.

            Or my bank account info and an amount I expect you to transfer. So, you scan it. See my name, see the amount, click ok, click finish, and your bank transfers the money. No damn web / html or anything involved.

            QR codes have absolutely nothing to do with web addresses. Unless: you intentionally encode a web address as QR code.

      • Before browsers started obscuring them, you used to see entire links before you interacted with them, and human readability was a feature. Ironically Slashdot itself undermined your example by prominently displaying the associated domain.
        Many QR code interfaces are now displaying the underlying URL before proceeding to enable discriminating.

        • by pjt33 ( 739471 )

          I cannot remember ever using a QR code reader which didn't show the URL and ask what I wanted to do with it, hence my question. A grid of black and white squares is not inherently more or less opaque than arbitrarily chosen anchor tag content.

          • "I cannot remember ever using a QR code reader which didn't show the URL and ask what I wanted to do with it."

            I don't tend to use QRs much. I don't recall a QR reader ever doing that for me. If they do do that on a regular basis, then that's much better.

          • The problem with QR codes is that they don't always show the landing address directly. It is usually a short URL. Then it's not just a question of whether you trust QR codes, but whether you trust short URLs.
        • by Scutter ( 18425 )

          Have you met users? You could show a giant red warning that says "DANGER! THIS IS A MALICIOUS LINK! CLICKING ON IT WILL GET YOU ROBBED AND FIRED!" and they'll still click on it, fill out all the forms, and then two weeks later open a helpdesk ticket to report it. It barely matters if it shows you the underlying URL or not, except to the sort of people who read slashdot.

          • by Teun ( 17872 )
            I could mark you as Insightful but instead answer your post, indeed it is the stupidity of the user that makes the Quishing effective.
            It's the same people that don't check a link in an email or if they do check it they don't grasp that .cn or .ng in the link is not leading the their US/German/British/whatever bank.
      • by Nkwe ( 604125 ) on Monday October 28, 2024 @10:09AM (#64899795)

        And how is that different from a hyperlink [example.com]?

        At least with a hyperlink, you can visually see what the FQDN is. If it is amazon.com, apple.com, or company name you have actually heard of, you can likely proceed with reasonable confidence. If it is amaz0n.com, you know something is fishy. With a QR code, you can't even eyeball it for sanity.

        • by thegarbz ( 1787294 ) on Monday October 28, 2024 @01:31PM (#64900563)

          At least with a hyperlink, you can visually see what the FQDN is. If it is amazon.com, apple.com, or company name you have actually heard of, you can likely proceed with reasonable confidence. If it is amaz0n.com, you know something is fishy. With a QR code, you can't even eyeball it for sanity.

          False. A QR code is just text and any QR code reading tool even remotely worth its salt will offer you a preview of that text and not just blindly execute something. The only purpose of an automatically executing QR code is special purpose applications, such as a handshake for a login, and you wouldn't be worried about a Quishing attempt there since it's something you literally need to initiate yourself.

          • by Nkwe ( 604125 )

            At least with a hyperlink, you can visually see what the FQDN is. If it is amazon.com, apple.com, or company name you have actually heard of, you can likely proceed with reasonable confidence. If it is amaz0n.com, you know something is fishy. With a QR code, you can't even eyeball it for sanity.

            False. A QR code is just text and any QR code reading tool even remotely worth its salt will offer you a preview of that text and not just blindly execute something. The only purpose of an automatically executing QR code is special purpose applications, such as a handshake for a login, and you wouldn't be worried about a Quishing attempt there since it's something you literally need to initiate yourself.

            Of course a QR code is just text, however you need a tool to make that text human readable. You can't as I said "eyeball it", which you can with a URL.

            Sure, better QR tools will show you the underling text / URL before doing something with it, but you do have to have that tool, and you have to trust that the tool will do the right thing. If I point my phone at a QR code, it will usually offer to show the link before navigating to it, but I emphasize usually, because it hasn't always done that for me, and

            • You can't as I said "eyeball it", which you can with a URL.

              Except you literally can, as I said the any tool worth your salt converts it to text for your review first. You can do this with literally any QR code. They aren't magic or encrypted in any way.

              but you do have to have that tool

              Everyone has that tool, the OS QR code scanner on Android does this. Presumably Apple's does too, though given the fact they think a mouse should have a charging port on the bottom maybe they don't. If your software is arbitrarily changing set behaviour then you have a far bigger problem than a QR code. But then also

          • by Mozai ( 3547 )

            "and any QR code reading tool even remotely worth its salt..."

            You're assuming most people are using QR-code reading tools that are up to your standards. Awful lot of people out there using iPhones, whose easiest-to-access camera tool scans for QR codes constantly in the every use, and pops-up a button in front of other buttons that will open a browser before it shows you the entirety of the text it found. And there is only one browser in an iPhone, with all the user's session information pre-loaded for co

            • Indeed I am since it is the safe assumption to make. Why is it safe? Here's a list of QR code readers that work like this (non-exhaustive):
              Android's OS reader
              Android's default camera
              Samsung's camera
              Apple's camera (also the default way to scan QR codes on iOS)

              With that I think we've covered 99% of QR code readers out there. In all cases after scanning a QR code you actually need to tap the FQDN that is shown on the screen to move on. None of these apps (which again, cover nearly all phones) will open the lin

      • The rest of the article:

        Researchers and fraud managers said it was hard to estimate the costs of “quishing” as cyber security companies and banks do not typically log the format of malicious links and because such emails may be just one element in a broader cyber attack.

        But research by IBM found that “phishing” attacks — which involve scammers send targeted emails with malicious links — are increasingly expensive to companies, with the global average cost of a data breach rising nearly 10 per cent to $4.9mn in 2024.

        QR codes contain data, such as URLs or payment information, in binary code. Invented by Japanese company Denso Wave in 1994 as a tool for tracking auto parts, these codes are designed to be quickly readable by machines, particularly smartphones, but are generally illegible to humans.

        Although most smartphones display a short preview of the URL contained in a scanned QR code, researchers have said that this pop-up is generally not sufficient for users to be able to detect that a link might be fraudulent.

        “These attacks take advantage of the fact that QR codes, by nature, are difficult to interpret visually, so victims often don’t know where they are being directed to until it’s too late,” said Amir Sadon, director of research at cyber security consultancy Sygnia.

        Banks said that the prevalence of this kind of scam has accelerated since QR codes surged in popularity during the Covid-19 pandemic, when they were used to display everything from vaccine passports to restaurant menus. “It’s definitely a growing trend in terms of the number of reports we’re seeing,” said Steph Harrison, a senior fraud operations manager at TSB.

        A survey by security software company McAfee in May found that more than a fifth of all online scams in the UK probably originated from QR codes. Reports of QR code scams in the UK more than doubled in the year to August 2024, according to Action Fraud.

        The US Federal Trade Commission, as well as multiple local authorities across the UK, also warned this year about a specific kind of “quishing” scam targeting drivers, including cases where stickers directing users to fraudulent sites have been placed on top of legitimate QR codes used to pay for parking.
        These links may direct users to an incorrect website and ask them to enter their details, or lead them to download malware. Worse still, said Harrison, “you could also get fined for not actually having a parking ticket”.

        Victims have also reported fraudulent QR codes being placed over legitimate ones at EV charging points, train stations and restaurant tables.
        But researchers said that “quishing” scams are most commonly deployed in emails — a threat that has put corporate security vendors under pressure to adapt their online defences.

        “Today almost no [cyber security] products are looking through attachments,” said Wisniewski. “If this continues to be a problem, I suppose the industry will have to move there — but it will slow down the delivery of emails, and it will also make things more expensive.”

      • by DarkOx ( 621550 )

        I will grant you that through various methods it is possible to obscure almost every detail one might make a trust decision on within a link. At least though if you are somewhat savvy you can 'spot' if the opacity is there for a technical reason or just to make it harder to know what your clicking on, or some mixture of the two, and make your choice informed by that judgement/information.

        QR codes basically normalize near total opacity. A lot of QR code applications represent an interface designed to active

      • And how is that different from a hyperlink [example.com]?

        you can put your mouse over the hyper link, and see where it's going to

    • "Here's a incompletely human-incomprehensible piece of data designed to encode something that you have no idea what it'll do other than what we tell you. It'll be fine, trust us."

      QR codes are just text. Any competent application allows you to preview the contents to the text prior to doing anything with it. There is no implicit trust placed here unless you the user blindly apply that trust through the use of a crappy app or by setting your settings incorrectly.

      A QR code is no worse than a link. You the user go to that link. It doesn't matter if it is a little picture with black squares or if it looks like this: this is not goatse.cx trust me [notareallink]

      • or by setting your settings incorrectly.

        Which most people do. Even if they should know better. Because it's a second or two faster.

        I was going to post a link to the graphic of the funny Windows Defender popup (the one with the button that says "make this message go away and get on with things"). But most of what came up in my search was how to turn security warnings off.

    • Man, you must really hate bar codes too...

    • by Zarhan ( 415465 )

      I use a QR scanner from F-Droid, https://f-droid.org/packages/c... [f-droid.org] - when you scan a link, it prominently shows you where it's leading and requires you to tick a checkbox "I've verified this link, fire up the browser to go there". So you cannot just click through.

      No difference to a hyperlink really.

    • Here's a computer system which will, without any confirmation from the user, download and execute computer code from any location it sees. What could possibly go wrong?

      Maybe we should recognize that certain vendors simply don't build secure systems, and refrain from using those vendors for anything involving money or value.

    • QR Scanner, on F-Droid does exactly this
    • "Here's a incompletely human-incomprehensible piece of data designed to encode something that you have no idea what it'll do other than what we tell you. It'll be fine, trust us."

      LOL. You too? I am in the same boat: why would anyone trust this?

  • by ninjaadmin ( 896197 ) on Monday October 28, 2024 @10:10AM (#64899797)
    Quishing, smishing, vishing, etc... wtf. I've never met anyone that actually works in security and uses these terms. "phishing" or "social engineering" covers it all...
    • by know-nothing cunt ( 6546228 ) on Monday October 28, 2024 @10:14AM (#64899815)

      Stop quomplaining.

    • I feel like the new cyber security words are all made up by CompTIA so to sell people new Security+ text books.

      • I feel like the new cyber security words are all made up by CompTIA so to sell people new Security+ text books.

        This. I imagine KnowBe4 has a hand in it as well in order to sell annual "security" training.

    • That's a strange way of saying you've never met anyone that actually works in security. Where do you think these silly terms came from in the first place. A quick google search of the term will tell you that it's already a thing, you can get onboard with nomenclature used or you can forever be considered that one stubborn person who has trouble communicating with others.

      • by ninjaadmin ( 896197 ) on Monday October 28, 2024 @10:33AM (#64899879)

        That's a strange way of saying you've never met anyone that actually works in security. Where do you think these silly terms came from in the first place. A quick google search of the term will tell you that it's already a thing, you can get onboard with nomenclature used or you can forever be considered that one stubborn person who has trouble communicating with others.

        Weird... and here I thought my Masters in Information Assurance and 3 decades of experience actually meant something all this time.

        • No, it just means you have paperwork. Degrees are meaningless, especially in the context of IT where your attempt to demonstrate relevance points more to someone who did something 3 decades ago. For that you're better off rattling off a list of continuous learning you've done, industry conferences you've attended, you know, anything relevant in the time frame of the past year where the term quishing has been a thing instead of bragging about something you did 30 years ago when camera phones didn't even exis

          • Interesting... you assume that degree was obtained at the beginning of my career.
            Let me clear that up for you... my cybersecurity degree was obtained in 2016 at USF. Granted, that's not exactly "recent" in technology terms... but also not quite as ancient as you assumed.

            Since then, I went ahead and got another Masters in CS from Georgia Tech... I like to keep my skill set up to date.

            Earning 5 degrees (and stacks of certs) over the years doesn't just mean I have paperwork... it shows dedication to continu

            • Interesting... you assume that degree was obtained at the beginning of my career.

              It is an incredibly safe assumption. Now even if this isn't the case it doesn't help your point in any way. Either you obtained your degree in the past year where the degree covered the term quishing (in which case I would call your industry experience into question), or you obtained it earlier (in which case I would call it's relevance to an emerging term into question). The point remains the same, pointing to a degree is silly and doesn't help your case.

              Earning 5 degrees (and stacks of certs) over the years doesn't just mean I have paperwork... it shows dedication to continuing education and being really good at what I do.

              Then you should have led with that. Not talk about a

              • Either you obtained your degree in the past year where the degree covered the term quishing (in which case I would call your industry experience into question), or you obtained it earlier (in which case I would call it's relevance to an emerging term into question). The point remains the same, pointing to a degree is silly and doesn't help your case.

                QR code attacks have existed a lot longer than a year, as has the "marketing" term "quishing". Regardless, these silly words weren't on the syllabi. The only place I've seen them used outside of the occasional story like this is in KnowBe4's annual Kevin Mitnick approved training material.

                Then you should have led with that. Not talk about a degree and couple it with the concept of 30 year history in the same sentence.

                Why start an e-peen contest right out of the gate?

                Your next certificate should be one in how to develop a compelling argument, you could use some work there as clearly you could have made your original point far stronger.

                Not really, my original point was "making up all these silly words is dumb". That same complaint would have been equally valid coming from Bob in accounting who is forced

        • The key here is the phrase "works in". People who sell security products and services love these words, because it makes it sound like the products do more. "We protect you from phishing, vishing, smishing, and quishing!" They make up the words and use them in their advertising and product sheets.

          On the other hand, the people who actually use those products and services just roll their eyes and lump all of these together as "phishing". If it's actually important to distinguish them they'll say something l

        • Weird... and here I thought my Masters in Information Assurance and 3 decades of experience actually meant something all this time.

          Marketing terminology is rarely taught in serious schools as marketing terminology changes all of the time.

          That being said, phishing, an actual term that grew from the hackers of the time, is actually quite obviously going to be abused with variations like smishing, quishing, whateverthefucknewmethod of phishing people is.

    • by Tablizer ( 95088 )

      Quishing, smishing, vishing, etc... wtf.

      Haven't you heard? Squids run the Deep State, and control naming.

    • by SpzToid ( 869795 )

      Quishing, smishing, vishing, etc... wtf. I've never met anyone that actually works in security and uses these terms. "phishing" or "social engineering" covers it all...

      Fellow Slashdotters, please don't confuse any of that stuff with queefing [urbandictionary.com] which is an extremely subtle, minor personal security issue most of us here on the slashdots should concern ourselves with, because there's truly no point in doing so.

  • The great thing about identity validation, it's simply, robust and works! If everyone started using PGP, and IT made sure people have up-to-date VALIDATED key rings, 99.99% (or some high percentage), of email nonsense, would be stopped. The major issue is people have no way to trust email, in any context, outside using a technology like PGP.

    If I look through my email, I have a long thread from Microsoft, where most of the emails aren't from Microsoft, and where several have bad DNS headers. If this wa
  • Using QR codes in a commercial environment. Yet another example of something being implemented without any thought of security.
  • Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within [PDF] attachments.

    That's what you get for using flawed "corporate cyber security solutions". Why do they test HTML for malicious links, but not PDFs? The PDF structure is well defined and arguably is just as hierarchical and easily parseable as HTML. Just update your products and stop whining, you lazy fvcks at Sophos and others.

Promising costs nothing, it's the delivering that kills you.

Working...