Coinbase’s Mystery QR Code Super Bowl Ad Is a Security Nightmare
While Coinbase got more than 20 million of you to scan a QR code during the Super Bowl, we don’t need advertisers normalizing scammer behaviors.
By Max Eddy
As cryptocurrencies and NFTs have blown up, they’ve brought with them a reality distortion field that turns good cybersecurity advice on its head. Nowhere was this more evident than in the crypto-related ads in the 2022 Super Bowl, especially Coinbase’s enigmatic QR code ad.
In Coinbase’s commercial, a QR code bounces around the screen, changing colors as it collides with the edge, recalling DVD screensavers of yester-decade. It’s not until the end of the one-minute spot that we learn it’s for Coinbase via a blink-and-you-miss-it logo that flashes on the screen. At least it was a big hit with dogs.
Coinbase’s Super Bowl ad used a tactic favored by scammers: the confusing link. I receive spam texts and emails all the time that contain just a link, or a link and the vague mention of a bill or available cash. Scammers hope that curious people will click the link to understand the cryptic message. (Don’t do it.)
Coinbase’s intent was the same. The company wanted people to scan the code and see what the big mystery was about. Spoiler: It’s a promotion where new signups to Coinbase receive $15 in bitcoin, while existing users got a “chance to win $3 million in prizes.”
This is a fairly innocuous tactic, although I wonder what kind of data Coinbase may have harvested off the millions of curious visitors. I also wonder how many people impulsively signed up since, hell, they’re on the site already. What’s more worrisome is that the reliance on QR codes could easily be hijacked by more traditional scammers.
For instance, the nonprofit National Cybersecurity Alliance warned that an enterprising scammer could easily create a lookalike video with a different QR code that leads to a phishing site. There’s no way to tell just by looking at a QR code whether it’s what you were expecting. You have to scan it to find out.
In this scenario, the scammer could dress up the phishing site to mimic the Coinbase page and encourage visitors to hand over their personal information—or worse, financial information. It would be especially effective going after the same target audience as the Coinbase ad: People unfamiliar with Coinbase who heard the hype about the ad and the dizzying news about various crypto products.
“Many individuals are not aware that [QR] codes are being spoofed by cybercriminals and woven with malware or malicious URLs in hopes of opening the door to sensitive data,” said Lisa Plaggemier, Interim Executive Director of the National Cybersecurity Alliance. “Yet, for all of the talk about how the negative impacts of the Coinbase ad from a cyber perspective, the ad also stands to do a bit of good as well by raising the profile of the QR code security conversation in a way that it frankly hasn’t been yet.”
The problem with QR codes is that they rely on a kind of blind trust, which has only recently been lessened. Changes to the Android OS mean that it’s more difficult to force the installation of malicious applications linked in a QR code. Also, the default behavior for most smartphones can act as guard rails. On Android and iOS, you can scan a QR code simply by opening the camera app and pointing it at the code. The app will overlay a preview of the linked URL, which you then have to tap to navigate to the site linked by the QR code. This means people at least have the option to nope out before visiting the site, if the URL looks dubious.
Nothing New Under the Sun
It’s notable how many facets of the cryptocurrency world mimic social engineering scams I’ve written about. Like scams and malware, cryptocurrencies are spun up in response to the zeitgeist. Take the nefarious squidcoin scam, where someone created a cryptocurrency themed after the popular Netflix show, Squid Game. Squidcoin came and went with the fad, taking a pile of money with it. Even more “legitimate” crypto products are powered by memes, such as Doge coin, which started as a joke before it spun out of control.
Cryptocurrencies also trade heavily on another scam technique: the fear of missing out or FOMO. When you get an email from a Nigerian prince saying you have just 24 hours to wire a $1,000 deposit so you can receive a $1 million payout, you understand that the scammer is using the time crunch and the promise of easy riches to short circuit your rational thinking. Similarly, many crypto products (including one advertised by Larry David at the Super Bowl) use the fear that you might miss out on the next Bitcoin if you don’t buy in right now. The message is, “You will regret this chance to become an overnight billionaire!”
As an aside, some may point out that all these criticisms could be made of other financial products and tricky marketing schemes and, perhaps, capitalism writ large. They are correct: All these things are bad.
Trust Your Instincts
Crypto products are doing a lot of damage to the world. The worst rely on confusion and hype to lure people into outright scams, while the best still magnify the greed and danger of speculative investment by operating in a totally deregulated environment. That’s not to mention the environmental damage of GPUs gobbling down kilowatt hours to create digital funny money.
We shouldn’t accept any of that, and we really should not accept the idea that people ought to ignore their instincts when it comes to scams. Things that sound too good to be true often are, and you really, really should not click links you don’t understand.
Originally published at https://www.pcmag.com.