The use of this square barcode in everyday life has increased the risk of QRishing. Stefano GAZZELLA July 30, 2021 With the novelty of the Green Pass we are talking about QR (abbreviation for: Quick Response) code, that is a square bar code capable of containing coded information whose reading becomes possible through a special program. These codes can be made available on a product label or as part of a coupon, printed on paper (for example to open a restaurant menu), digitized or even have an entirely digital format. In the case of the Green Pass, the VerificationC19 app is able to make the information regarding the validity of the certificate as well as the name and date of birth of the holder accessible and searchable. However, from the technical specifications published by the European Commission, the QR code contains some additional information, so the invitation from the Guarantor to avoid its dissemination (especially via social networks) is a necessary caution. In fact, having a clear awareness about the data that is communicated and disseminated is one of the first steps to be able to cultivate one's own digital security correctly. The second is obviously to be aware of the risks to which one is exposed by disseminating or communicating some of one's personal data, taking into account the current scenarios relating to cyberattacks. In short, knowing to prevent. It is good now to consider a different scenario: what are the risks if you want to read a QR code out of curiosity? Well, since the information that can be entered in the code also includes an internet address, a cybercriminal could well use this type of tool to convey an attack and, for example, redirect the user to a fraudulent landing page. or enter a malicious url from which to download a malware. This is the phenomenon of QRishing (QR + phishing), which has already emerged due to a more widespread use of the QR code in daily life, which has significantly increased during the pandemic emergency. The fundamental problems are similar to smishing: an erroneous belief that the smartphone is safe and a lower attention span relating to its use. And therefore, you can become a victim of a scam, since you will enter your personal data (and often also the payment information) on a page opened via an apparently reliable QR code, or you will download malware on your device. . For example, a scammer can superimpose a label with his QR code on top of an original code or attach it to a counterfeit advertisement or discount coupon, thus taking advantage of the reputation of a brand to steal the victim's trust. Awareness of the attack method and the adoption of the typical anti-phishing precautions appropriately declined are and remain the best defense tools for the user. SMS scams: how to defend yourself from smishing Stefano GAZZELLA March 14, 2020
Phishing, it is known, consists of an online scam in which an attempt is made to obtain from the recipient a fake communication (e.g. via email, pop-up or PEC) apparently coming from a trustworthy organization personal information or corporate, such as login credentials or financial data. The deceptive activity thus allows the cybercriminal to "fish'', often without the victim's knowledge, information and passwords, or even to infect devices through malicious attachments. Smishing consists of a similar activity carried out, however, through text messages (SMS + phishing = smishing). Why are SMS now being used as a vehicle for this type of attack? Prejudice: users have the erroneous belief that smartphones are generally safe, and in any case less vulnerable than a computer. A further reason is that often those who use the smartphone also carry out other activities at the same time (for example walking), or in any case allocate a lower attention threshold to this tool. This therefore means that the user is less aware of the risks and less attentive to the countermeasures to be used. These elements constitute undoubted advantages for the action of a cybercriminal. Furthermore, since applications for reading emails, archiving in the cloud or access to management software that can be traced back to data or systems are often installed on smartphones (for BYOD policies, or practice) of a company or a professional studio, the attractiveness of these devices is very high. How to recognize these fraud attempts? Let's try to outline the common elements of smishing. The leverage that is employed by scammers is often emotional, since it leads to quitting some basic precautions playing on needs (offer or participation in a contest), trust (trusted sender), protection needs (improve account security), fears (avoid charges) and desires (easy earnings). Often, the alert elements are detectable in the contents of the communication, which, for example, requires action to avoid some kind of problem or otherwise to adhere to a last-minute offer. The goal is always to get the potential victim to visit a website, respond to the message or otherwise call a number. Here are three simple tips on what to do to improve your safety: • in general, do not click on the links within the SMS; • think before acting, wondering for example if the sender would have sent the type of SMS received, or if the content of the communication is true, even by carrying out further checks; • If in doubt, try to contact the sender using the numbers in your possession to confirm the communication. In any case, all the precautions taken must absolutely not be abandoned or reduced in the event that the message apparently comes from a known and trusted sender, since it is possible that the number has been manipulated or violated. Similarly, SMS invitations to download common and legitimate apps must also be viewed with particular caution, since they can mask self-installing malware on your smartphone. It should be remembered that the scammer's goal is to obtain personal data of victims or to which victims have access (for example: companies, customers, other contacts) to carry out identity theft, steal money or prepare for further massive attacks.