Forgot your password?
typodupeerror
Security IT

Malicious QR Codes Posted Where There's Lots of Foot Traffic 89

Posted by Soulskill
from the neither-idiotproof-nor-jerkproof dept.
Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."
This discussion has been archived. No new comments can be posted.

Malicious QR Codes Posted Where There's Lots of Foot Traffic

Comments Filter:
  • by Anonymous Coward on Tuesday December 11, 2012 @07:19PM (#42255175)

    If anyone actually used QR Codes, which they don't, so no harm.

    • by mikael (484)

      I've found it the quickest way to transfer a web address bookmark off my PC and onto my smartphone, without the ******** hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

      • by Ardyvee (2447206)

        But then you're probably the one generating it. Or should be :p

      • by mcgrew (92797) *

        hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

        Why not use Bluetooth? A bluetooth dongle for your PC costs $20 at WalMart, and if a smart phone didn't have it I wouldn't buy the phone -- hell, I've had dumb phon

        • F A C E T I O U S spells facetious. Can you use the word facetious in a sentence?

          Although it's equally possible he has a Nokia. What he describes would be a vast improvement over their Ovi suite.

    • by MrEricSir (398214) on Tuesday December 11, 2012 @07:34PM (#42255297) Homepage

      This is why I'm sticking with my :CueCat.

    • by Anonymous Coward

      I used a QR code exactly once, when I realized it just went to a video ad, I realized they were just compact banner ads.

      Still, if that was a malicious QR code, my phone could have been compromised.

      • by mcgrew (92797) *

        Still, if that was a malicious QR code, my phone could have been compromised.

        More likely (and more easily) your Windows PC when you transferred the files to it. Smartphones are a fractured market, while Windows PCs are a monoculture. Plus, Windows PCs are a lot less secure than any phone. Considering how locked down phones are, they mey even be safer than Macs and Linux.

  • by dmomo (256005) on Tuesday December 11, 2012 @07:21PM (#42255193) Homepage

    No way. Rick Astley? Goatse? Not worth the risk.

  • Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes and those were for store promotions where if you were in their store you could scan a QR code and get a virtual "scratchers" ticket which would tell you if you won a prize or not.
    • by medv4380 (1604309)
      Would malware makers even bother with the stickers if people didn't use them?
      • by drkim (1559875)

        Would malware makers even bother with the stickers if people didn't use them?

        That's like asking if people are dumb enough to think they will make millions cashing checks for some lawyer in Nigeria.

        Ha, ha, ha, ha, ha, ha, ha, ha.

    • Yes,
      They are very useful on real estate For Sale signs.

      • by aaarrrgggh (9205)

        More useful than opening Zillow or RedFin, getting a GPS fix, and immediately having all the MLS data?! Not quite sure how, but to each his own.

        • by plover (150551)

          I'd hazard a guess that it's far more common that average potential buyers scan the QR codes instead of loading up those apps.

          Of course, now I have a good idea where to place my QR stickers...

  • I know it's about pedestrian, rather than vehicular, traffic. But for an instant I thought some genius had thought of an exploit for high-tech shoes that had QR code scanners in their soles that linked to their smartphones.

    Now that would be a plot for a near future sci-fi novel. A sort of Apple maps-like fiasco that would send hapless pedestrians falling off bridges or onto the freeway.

  • by doug141 (863552) on Tuesday December 11, 2012 @07:46PM (#42255405)
    It'll check out the site before connecting you, and is one of the few free code readers that doesn't require location permissions.
  • Obfuscated URLs (Score:5, Interesting)

    by agiacalone (815893) <agiacalone@nOSpam.gmail.com> on Tuesday December 11, 2012 @07:47PM (#42255407) Homepage

    Any time you obfuscate the underlying address in a URL you pose a security risk.

    QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.

    • by Dishevel (1105119)

      Each reader I have used show the URL.
      If it shows a bit.ly or some other URL shortened crap or even something I do not recognize I skip it.

    • Actually, URL shortening services are worse - the malware could be inserted by the shortening service itself. Two points of attack, instead of just one.

      It constantly amuses me how many newspapers have articles and editorials saying how evil the Libyan government is - and then they use the bit.ly service to link to other material.

    • by tlhIngan (30335)

      QR codes can contain more than just a URL.

      They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.

      Just do it with something like "call this number to get free minutes" or something...

  • I'm far more afraid of vicious gangs of Keep Left signs
  • by IonOtter (629215) on Tuesday December 11, 2012 @08:47PM (#42255891) Homepage

    If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.

    Why should sticking a QR code into your phone be any different?

    • Why should sticking a QR code into your phone be any different?

      less fun?

    • I sometimes do 3, even 4 QR codes in a day, what does that make me?

  • by sootman (158191) on Tuesday December 11, 2012 @08:58PM (#42255971) Homepage Journal

    At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font [wikipedia.org] inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.

    This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.

    • and 4) if you can't scan the QR code when you see it, you have a reasonable chance of remembering a decent URL; you have zero chance of remembering a QR code.

    • by Anonymous Coward

      Microsoft version of QR codes uses colorful triangles and is effective in the wow-factor. I see used in a local daily newspaper for a lol-cat-type column where they don't want the URL known by us unwashed masses.

      Two reasons they are worse than QR codes:
      + Tracking. I am surprised not to have seen anybody mention this, so my guess is that standard QR codes are indeed deterministic and just decode some set graphic to text / url to process according to some type sentinel. The problem here is MS houses a central

      • QR codes do just encode straight data, text, or a link, but many of the sites that will generate them for free for you actually generate a link to their own site and forward to your site, so they can be doing the same kind of tracking. The best way to do them is to print the link (or at least the domain) in readable text along with the QR, so that you can at least check that they resolve the same way. There's plenty of free software that will generate good QR codes without the deceit, but most people who

  • Well, I am surprised it took so long to appear. The attack is easy and the gains are obvious.
    • by wvmarle (1070040)

      It's also a lot of work compared to other attack vectors.

      After finding the obvious exploit and crafting your site (for whatever attack you plan), sending out lots of spam or placing compromised ads will allow you to reach millions of potential victims in a very short time, with limited effort.

      Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional rou

      • It's also a lot of work compared to other attack vectors.

        ...

        Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

        And you have to pay actual money for those stickers or fliers that you're sticking to things, and maybe even have to pay someone to do it. More traditional all digital vectors probably give you a lot more bang for the buck.

  • When you put links to Tubgirl and Goetse on top of realtors(estate agents) QR codes

  • 1. Find film posters.
    2. Apply QR code pointing to a pirate source for that film.
    3. No profit. That's the idea.

  • I predict the next QR code attack will be:
    Malware QR codes blinked on TV screens, or web pages, just long enough to drive exposed phones and devices to hostile sites.

    Sorta like digital subliminals.

  • Follow the money. Sooner or later someone has to take money out of the ultimate destination account.

    Then, testicleectomy is warranted.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...