Scammers are always trying to stay a step ahead, so it’s no surprise they’re finding ways to use QR codes and other forms of mobile malware
The hot new tactics among cyberthieves: QR code fraud, mobile-technology malware and email scams powered by gift cards, not credit cards. That is, for now. Cyber criminals are like sports dopers; it’s their business to stay a step ahead of the game. “We beat them, they have a new variant within 48 hours,” says Nick Nascimento, owner of aGeek2Go, a San Diego-based information technology support and service company.
“These aren’t kids in a garage. They are people in high-rises driving nicer cars than we do,” Nascimento says. “The sophistication, the sheer masses of bandwidth — this is big-time business.”
Nascimento and others explain three hot cybercrime strategies, and how to avoid them.
1. QR Code Fraud:
QR codes are those black-and-white squares that look like modern art; in reality they are condensed URLs. When scanned, they lead users to a Web page. Marketers love them because they’re instant and accurate, says Tony Anscombe, senior security analyst in the San Francisco office of AVG, an Amsterdam-based security software firm. “It’s not relying on me remembering anything or typing anything,” Anscombe says.
QR codes become fraudulent two ways. The first is when they’re designed to contain malware. When the user scans the code, the malware loads — in the background, invisibly — onto the user’s mobile phone. When users open a mobile wallet, or access their bank information with the phone, the malware captures that information and relays it to the creator of the nasty QR code, who then uses it to steal from bank accounts and make fraudulent credit card charges.
Fraudulent QR codes can also lead users to a legitimate-looking URL that asks for permission to send texts (SMS messages). Users who consent begin getting premium texts, which show up as 50-cent, $1 or other small charges on a cellphone bill, a charge most users wouldn’t notice, Anscombe says. Those small charges, spread over hundreds or thousands of cellphone bills, add up to big money for the criminals.
How to avoid it:
First, download a QR code security app; makers include AVG Mobilation, Norton Mobile Security and Lookout Mobile Security. The apps will let the user know if the QR code will lead to a malicious site. Second, resist the urge to scan any random QR code you come across, particularly if the code is on a poster or looks pasted-on. Thieves circulate these codes by developing them, printing them and sticking them in easy-to-see places, Anscombe says. If you absolutely must play with QR codes, do so at places of commerce you trust.
2. The FBI scam.
This scam, for desktop computers, arrives via an email that looks like it’s from the FBI. The scam is new because it relies on gift cards, not credit cards, to make a profit. This is how it works: The email — which looks startlingly real, Nascimento says — tells the recipient that they’ve been the victim of malware, then asks for payment to erase the malware from their computer. The page helpfully suggests buying a gift card at CVS or another chain store as payment. Users then enter the gift-card number into an email; the thieves at the other end take the amount and supposedly free the user from the malware.
The trick? The transaction with the gift card actually places malware on your desktop, and usually, professional help is needed to wipe it clean, Nascimento says.
How to avoid it:
“Ignore it,” says Nascimento, adding that the scam first came to attention about four months ago, and has since morphed four times. “It’s very hard to get out of machines,” he says.
3. Mobile malware.
Fake apps that download viruses and malware onto smartphones — Android models are particularly susceptible — via text messages and emails. When users open the email, it begins sending texts in the background that ring up charges on the user’s cellphone bill. Others send email messages; when the user clicks on the link in the email, malware downloads and begins downloading personal information — including anything stored in a virtual wallet — from the user. Some ask for permission to access a contact list and then send the malware to the user’s friends and family as well.
Worse, the malware will leap to a personal computer or tablet when the host — the mobile phone — is attached to that device to charge or port information. “Plug it into a corporate network, and you’ve just put the entire corporation at risk,” says Stan Stahl, founder at Citadel Information Group Inc., a Los Angeles firm online security consultancy.
How to avoid it:
Treat your cellphone like the personal computer it is, Stahl advises. First, download apps only from trusted sources — the Apple site for iPhones, the Google site for Androids. (In late October, T-mobile announced it would offer Android users free security apps and load 2013 models of phones with security devices).
Second, pay attention when installing an app. “It should tell you exactly what it’s going to do,” Stahl says. Keep an eye out for unusual requests; for instance, if a map app asks to access a contact list. If it does, “say no and think about whether you want to download it,” Stahl says.
Third, think twice about “jailbreaking” an iPhone, that is, altering it to free it from the iOS operating system and thus open it to apps from other sources. Jailbroken iPhones are as susceptible to viruses as a newborn infant: “All bets are off,” Stahl says.
Overall, “users are the last line of defense,” Stahl says, noting that the mobile security applications don’t work 100 percent of the time. “Exercise some common sense about what you’re doing.”