Anything & Everything Costa Rica

“Quishing” at charging stations: the new scam for electric vehicle drivers

QCOSTARICA — Many countries and regions around the world have rapidly embraced electric vehicles. Some 14 million new vehicles were registered in 2023 alone, an annual increase of 35% that brings the global total to more than 40 million.

But new technologies bring with them new threats. ESET, a leading company in proactive threat detection, warns about criminal groups that are combining physical and virtual threats to steal payment data from those who drive these types of vehicles.

“One of the latest tricks is to use QR code spoofing techniques, known as “quishing,” to spy on or steal payment data. In fact, it is not very different from the tricks that use fake QR codes on parking meters, and those who drive electric vehicles should be careful with this type of threat at charging stations,” says Camilo Gutiérrez Amaya, head of the ESET Latin America Research Laboratory.

– Advertisement –

Quishing results from the mix between the words QR code and phishing. Scammers place fake QR codes on top of the authentic ones. When these are scanned, they take victims to a phishing site to collect their credentials/information or download malware.

“It is a particularly effective tactic because it does not arouse the same level of suspicion among users as, for example, phishing URLs. In addition, mobile devices are usually less protected than laptops and desktops, so there is a greater chance of success. A report from the end of last year noted a 51% increase in quishing incidents in September compared to January-August 2023,” adds Gutiérrez Amaya from ESET Latin America.

In this case, the criminals found a way to adapt the scam to the new electric vehicle craze sweeping the world. According to reports from the UK, France and Germany, scammers are pasting malicious QR codes on top of legitimate ones at public charging stations. The code should take users to a website where they can pay for their electricity to the station operator (e.g. Ubitricity).

However, if they scan the fake code, they will be taken to a similar phishing site that will ask them to enter their payment details, which the cybercriminals will collect. It is claimed that the correct site will be loaded on the second attempt, to ensure that victims can eventually pay for the charge. Some reports also claim that cybercriminals could be using signal jamming technology to prevent victims from using their charging apps and force them to scan the malicious QR code.

No incidents of quishing have yet to be reported in Costa Rica.

ESET shares some simple measures you can implement to mitigate the risk of quishing at home or abroad:

– Advertisement –

  • Look closely at the QR code and possible red flags. Does it look like it’s stuck on top of something else, or is it part of the original sign? Is it a different color or font than the rest of the sign, or does it look out of place in some other way?
  • Never scan a QR code unless it appears on the parking meter terminal itself.
  • Consider paying only through a phone call or the official recharge app of the corresponding operator.
  • Disable the option to perform automatic actions when scanning a QR code, such as visiting a website or downloading a file. After scanning, look at the URL to verify that it is a legitimate domain associated with the service, rather than a suspicious URL.
  • Analyze the website the QR code links to. Does it contain any grammatical or spelling errors, or does anything look strange? If so, it may be a phishing site.
  • If something doesn’t look right, call the toll operator directly.
  • Many parking meters offer multiple payment methods, such as credit card, NFC payments, or coins. If you are uncomfortable scanning a QR code, consider using one of these alternatives to avoid the risk of interacting with a fraudulent code.
  • If you have been scammed, freeze your payment card and report the potential fraud to your bank/card provider.
  • Check your bank statement for suspicious transactions. Use two-factor authentication (2FA) on all accounts to provide an extra layer of security. This helps protect your account even if a scammer manages to redirect you to a fraudulent website and steal your credentials.
  • Make sure your mobile device has security software installed from a trusted vendor.

 

– Advertisement –

Source link

Rico

PlethoraCR