Caution Flags 

The radical simplicity and irresistible pull of the Coinbase spot was the talk of the post-game ad reviews. But out of the din of this discussion came another message — this one from the Federal Bureau of Investigation (FBI). Inc Magazine’s Jason Aten pointed to a warning they had issued a month prior to the big game – the first lines lay out the situation quite clearly:

The FBI is issuing this announcement to raise awareness of malicious Quick Response (QR) codes. Cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information.

QR Codes Are Back, And Bigger Than Ever

Once again, it seems that bad actors have seized on a popular trend to help them do their dirty work. A simple technology dating back to the 90’s, QR Codes are on the rise lately – as they’ve become a very effective digital tool for marketers who want to quickly convert mobile phone readers into shoppers and buyers. The Wikipedia entry on QR codes gives you a quick grasp of just how powerful they can be when scanned on a mobile phone:

QR codes may be used to display text to the user, to open a webpage on the user’s device, to add a Card contact to the user’s device, to open a Uniform Resource Identifier (URI), to connect to a wireless network, or to compose an email or text message.

All you have to do is think about how hackers might use that kind of power, and you can quickly see that indiscriminate scanning of QR codes could lead you into some serious trouble. 

Two Primary Sources of QR Code Danger

The first danger with malicious QR codes is the fact that they can transport you seamlessly to a fake website. As with most hacks, the first layer of the transaction seems to be legitimate: the QR code works! The user arrives at a site that has the offer or information they were seeking. 

And this is when many users will let their guard down, and fail to notice telltale signs that the site isn’t legitimate. Super-sweetened offers can also play a role in softening up otherwise careful users. The bad website can be a collection point for private information and financial data, and the path to financial losses and ID Theft is paved.

The second danger is QR codes that include malware themselves. Once again, let’s turn to the FBI for — “just the facts”:

Malicious QR codes may also contain embedded malware, allowing a criminal to gain access to the victim’s mobile device and steal the victim’s location as well as personal and financial information. The cybercriminal can leverage the stolen financial information to withdraw funds from victim accounts.

That’s about as bad as it can get. So, short of forsaking the use of all QR codes — how do you defend yourself?

What Can You Do?

Here are the five steps you can take – we discuss each below in more detail:

1. Get informed about what QR codes are and what they can do.
2. Make sure your device has good security software.
3. Use that security software regularly!
4. Before scanning any QR code, scan “the situation.” 
5. Make sure you land where you expected to!

You’ll be glad to know that you’re well on your way to completing the first step. We hope this article has helped in this regard, and if you want to get even more up-to-date on potential threats to you and your mobile device, we highly recommend these two companion articles:

Six Ways That Cybercriminals Try To Take Over Your Device – QR codes are covered here along with several other traps, like WiFi Honeypots, Fake Apps, and even Subtitles in Streaming Apps. Do give it a careful read – lots to learn here.

Can a QR Code Be Used In A Phishing Attack? – If you’ve followed us so far, you know the answer to this question is YES! But hit the link to get more information on how QR codes can bait the hook for hackers’ big Phishing expeditions.

Security Help

If you’re using dfndr security, make sure you activate the anti-hacking feature to protect you from scams and malware. dfndr security PRO plan also has a dedicated Safe App function to help sniff out apps that contain malware, and also provides complete Identity Theft reports should you suspect trouble.

Eyes Up!

But your awareness is always going to be your first line of defense. Remember that QR codes primary benefit is to help you connect to a specific spot on the web without your having to type in a URL. The “fun” of seeing this work is no doubt a major part of the success of that Coinbase ad. 

If you decide you do want to scan a QR code – make sure you can verify it’s from a trusted source, and take a good close look at the surroundings: the copy and design, the context of use. Is the code stuck on a wall outside a club? Or did it come to you via a traceable source like a mass mailing? If you can verify that the code is from a trustworthy source – make sure the landing spot is what you expected it to be.  

Just remember what your friends in the FBI told you: a QR code isn’t a game to be taken lightly — or a Pokemon type game where you have to capture and collect. They serve a very specific function, and they’re more powerful than they look. Treat QR codes with the same caution you’d give to any unknown app or web address.

The ph prefix means that both are…well…phake.

But despite the cute names, the damage that can be wrought with either method is considerable. Identity Theft is the end game for many of these swindles, and as you may know, the long tail effects of ID theft can be personally devastating (and if you’ve never really experienced or read-about just how hard ID Theft can be for individuals, we highly recommend reading through that linked article. Not fun, but essential information).

While phishing attacks are made through phishy emails, pharming is the term applied when the hacker sets a trap in the form of a malevolent website: frequently, an impostor-site posing as a well-known and trusted company site. 

Pharming: Individual User Attacks

Phishing and pharming often go together – and the phishy email lures a single user to a malicious website, where the user enters their private information and the pharmer makes off with it, using it later to sow havoc by deploying it on the real site.  

Sometimes these sites are simply set up like traps on the web – you may have encountered one or more of these by simply misspelling the name of a popular site. The result may be a jarringly different site than what you expected. 

In truth these situations are relatively easy to avoid.  But sometimes the site you’re delivered to can be very close to what you expected, and that’s where real pharming trouble can begin.

Malware can drive pharming too – redirecting you to the substitute site without your awareness or permission. It’s important to remember that hackers are increasingly fond of using techniques of misdirection. You may inherit malware through a new app you download, but the consequences arrive later, when you first log on to your bank-site or try to pay your credit card bill, and the malware takes you to an impostor site to steal that information from you.

DNS Switching  

DNS switching takes the whole pharming idea to a more dangerous height. Whereas the malware or phishing-driven pharming operates at an individual user level, DNS Switching redirects all traffic to a given website to a pharmed-out impostor. 

The malware works within the DNS server and redirects requests to reach the authentic site to the pharming site. These more sophisticated attacks often involve more sophisticated fakery, and the pharming sites can be very convincing.

How To Protect Yourself, Down on The Pharm

As always, there are a few different layers of protection you can enlist to keep yourself from pharming — and the more of them you employ, the safer you’ll be:

Mindset: Your mindset as a user is one of the best defenses you have against hackers. Remember that hackers are fond of using social engineering – which some might refer to as “good old psychology” — to lure users into interactions with iffy emails, sketchy sites, and strange-people on well-known platforms. Keep your guard up, and if somebody, something, or some site asks you for information that your bank or health club or grocery-delivery (etc.) already should have, let that alarm bell go off loudly in your head. Then take three giant steps away from your keyboard. 

If your spider-sense has even an inkling that an email from a friend or a site isn’t the real deal: slow down and check it out. In general: try not to confer the trust you have in a person or company onto any representation made for them on the web. The web is…the web. And it should always be treated with caution.

Unprotected?: Public, unsecured wifi networks really are the devil’s playground.

The upshot is that public networks have chinks in their armour, and hackers use those chinks to “eavesdrop” on your conversations. Information they steal through this technical kind of listening can lead to direct attacks, or…down the road, a phishing or pharming attack tailored just for you. 

S matters: There’s a big difference between http:// and https:// — the difference is that “s,” which stands for secure. When you see the full https://, it means that information on both ends of the website transaction is encrypted and secure. When you don’t – that may not be the case. This is such a widely accepted standard now that the absence of that s should put you on high alert.  

Phishy?: If it looks or sounds phishy, it probably is. It might also be pharmy. Here’s an example of what we mean: in one of the biggest pharming attacks ever launched, a DNS Switching attack on more than 50 financial institutions, the affected users were presented with an error screen that asked them to switch off their anti-malware and any firewall protection they might be running. Many users simply complied, and provided access to the pharming malware to do the rest of the work. 

This obviously relates to our mindset discussion as well, but we wanted to emphasize that even very sophisticated pharming attacks will sometimes rely on users turning off systems of defense: whether it be their own mindset, or settings in place on their computer designed to protect them!

Speaking of Defense…  

Of course one of the essential bits of protective equipment is a good security software solution. dfndr Pro provides several excellent tools to help you protect not only your private information but your physical phone as well. Having that combination of protections is important. 

Pro also offers a Safe App function that enables you to screen any app you might want to try before downloading it, and that can be an excellent first line of protection from malware of all types – including those that are designed expressly to uh, ”take you down on the pharm.” 

With your mindset on high-alert, and your phone protected with a well-designed, and multi-layered security capability, you can move about confidently. Just be careful out there, and try not to get any mud on your shoes!

The film tells the story of a conman who uses the Tinder app to insinuate himself into the lives of three female victims. In the film, Simon Leviev sets up elaborate romantic cons to appear as a wealthy diamond heir, then uses the trust he has gained to steal information, then money – only to use that money to fund the con for his next victim.

It’s a taut and dramatically told story, but without a clear moral or ending. (The New York Post has reported that Leviev has signed with a Hollywood agent, and “wants his own dating show.”)   

How To Stay Safe: Five Scammer Prevention Keys

But the moral for users of Tinder — and social media in general — are still the same: proceed with caution!  Below are a Five Keys to help you stay safe as you navigate dating apps like Tinder — they’re also useful guidelines for people you might meet on any other social app like Facebook:

• Do some research — and take your time. Before meeting in real life with anyone you’ve met online, take the time to do a little background research and find out if the person you’re speaking to is who they say they are. 

• Consider bringing a friend for the first date(s), and meet in public. Yes, this will keep you safer, and it might also help provide a more casual atmosphere where you can learn a little bit more about your new friend.

• Be sensitive about peculiar information requests. Spoiler alert: The Tinder Swindler orchestrated reasons to get Passport information, and then quickly put it to nefarious use. Whatever the reason given, a quick pivot to requests for detailed personal data is always a sure warning sign, especially in a new relationship.

• Keep your purse, phone, and ID’s close. Don’t overlook simple physical sources of data like these. Don’t leave them unattended. 
• If you have any suspicions, check in to things. If anything seems odd in terms of your interactions, don’t bury your head in the sand. A good security solution like dfndr security can help you track where your data is going and also protect your physical phone from theft. Stay on top of your bank and credit card accounts.

Remember: Most Scammers Don’t Do A Lot of Romancing

The Tinder Swindler is also a healthy reminder that most scams are not quite as elaborate as those cooked up by Simon Leviev.  But most scams operate on the same human emotions of romance and self-interest. 

Set some clear rules for yourself in the dating world – and also for when you’re answering emails and text messages — or when you’re looking for work on a job site.  If it looks too good to be true – it probably is!