A scammer has stolen more than $45,000 worth of bitcoin over the past month by tricking people with fake QR code generators, ZDNet reports. Harry Denley, Director of Security at MyCrypto, discovered this scam running on nine different websites.
ZDNet explains that Bitcoin addresses are often converted into unique, scannable QR codes so users don’t have to type out the entire address in order to send a payment. There are many legitimate websites that offer this service.
However, the scam sites discovered by Denley wouldn’t actually generate a new QR code. Instead, when a user entered their Bitcoin address, the site would display the same QR code, which pointed to the scammer’s wallet. As a result, anyone who was duped by this scam would share this code thinking it pointed to their own wallet, but all payments would go to the scammer.
Since Bitcoin payments are public, Denley was able to see that the scammer had received the equivalent of more than $45,000.
This is a very simple scam, and it’s surprising that this technique isn’t more widely known. ZDNet notes that cryptocurrency wallet company ZenGo came across a similar fake QR code generating site in August 2019 that managed to steal $20,000, so this isn’t the first time such a scam has been observed in the wild. However, the amount of money the scammer generated in this recent case shows that many people are still unaware of the tactic. Unlike a URL or a Bitcoin address, a QR code can’t be scrutinized for typos, so users need to confirm that the services they use to generate these codes are trustworthy.
It’s also worth mentioning that Henley discovered the servers hosting these websites were hosting more than 450 additional sites containing various types of scams, primarily ads for fraudulent cryptocurrency gambling sites. The scammer also appears to have made approximately $117,000 through scam websites that promised to speed up the approval process for a Bitcoin transaction in exchange for a fee.
New-school security awareness training can help your employees think outside of the box when it comes to protecting themselves against social engineering tricks, as well as teaching them how to determine the legitimacy of online services.
ZDNet has the story: https://www.zdnet.com/article/network-of-fake-qr-code-generators-will-steal-your-bitcoin/
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
