Hello and welcome to the Tuesday, May 9, 2020,

edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I've got more news about QR codes.

Overall, I'm not really considering QR codes of the huge threats that

some people consider them, but there are certainly some issues where the ease of use of

QR codes also helps attackers. With that, there are two distinct cases where recently

QR codes have been used maliciously, one apparently in Singapore.

Now, in this case, the victim scanned a QR code in a restaurant, believing that it led to a survey, which of course offered some kind of price.

The first thing that should probably have triggered sort of a little bit an alarm here is that

in order to participate in this survey, you first have to download a mobile app on your Android

phone.

Okay, and these days everything sort of is its own app, maybe not really all that suspicious

to require the download of an app in order to participate in this simple restaurant survey.

But then once the app was installed, it did require quite excessive privileges to accessibility features, microphone, camera, essentially gaining full access to the device.

The app then used this access in order to take over financial applications and train victims' bank accounts.

The other case was here in the United States and a little bit of more traditional

sort of QR code abuse. Apparently in San Francisco, someone is handing out fake parking

tickets, which conveniently come with a QR code that allows the victim to pay. These are then

good old fishing websites that basically just steal payment data from the victim.

The tickets were not only dated in the future, but they were also issued apparently by the city

of San Francisco, where usually San Francisco tickets are issued by the San Francisco Municipal Transport Agency. Of course,

...