Malicious QR Codes Posted Where There's Lots of Foot Traffic 89
Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."
This could be really dangerous! (Score:4, Insightful)
If anyone actually used QR Codes, which they don't, so no harm.
Re: (Score:1)
There is no confirmation on Windows Phone as far as I can tell.
At least on WP7 using the Bing Vision functionality (built into WP7.5). When you scan a QR code it lists the data in the QR code. You then have to tap on the displayed link to open the browser. If it is not a link, then it just displays the data.
Re:This could be really dangerous! (Score:5, Informative)
I can only speak for my specific case (Android, using Barcode Scanner app): the app displays the captured image, metadata about the capture, and a decode of the string (recognizing, for instance, that it's a URI QR). BUT does not just hie off to whatever website is indicated. The displayed URI string is clickable, and clicking it does open the URI in the default browser app, but it does take that much human intervention to navigate there.
A few notable specifics to compare with other situations:
(A) No OS-native QR code capability. It required an app from the Google App Store (free, but not Free). One of several, it appears.
(B) There is a configurable option "Retrieve more info" which, when enabled, looks up information about URI/URL QR codes as part of the decode. For instance, after ingesting the sample QR code [wikipedia.org] from the Wikipedia "QR Code" article, the app correctly decodes the URI as "http://en.m.wikipedia.org", but with the "Retrieve more info" option enabled, it adds the descriptor "Wikipedia, the free encyclopedia"... which is the <Title> property at the top of that page, so I guess the app is retrieving the target URL internally and decoding the <Title> at least. Maybe that would be a buffer overflow vector for a well-crafted exploit, so I turn that option off.
Re:This could be really dangerous! (Score:4, Interesting)
The problem here is you are being reasonable and thinking logically about what you're doing. I'm sure you've noticed how much the average person hates having to think. Compare your comment with the average YouTube comment and see if you don't notice a difference.
Now, try behaving like the average person for a bit: point at the QR code and then click whatever link pops up. Come on, you've already done more than enough thinking: putting the app on your phone, loading the app and pressing a button while aiming at the QR code. Now you want to have to think some more, think about where that link is going to take you?
I bet the problem makes much more sense now.
Re:This could be really dangerous! (Score:4, Informative)
The source code for the Barcode Scanner app can be found here: http://code.google.com/p/zxing/source/browse/trunk [google.com]
It is free as in Free, Apache 2.0 license.
Re: (Score:2)
Re: (Score:2)
Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.
I think I got the Barcode Scanner from F-Droid [f-droid.org] (Open Source android app repository); I usually check there before the Play store for utility apps like that.
Re: (Score:2)
Not entirely true anymore. About a week ago Google update Google Search so that Google Now has a visual search that reads barcodes now.
Re: (Score:2)
Re: (Score:2)
Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.
Even if there were...most people wouldn't pay enough attention to notice that they were about to navigate to "www.MakeMyAndroidYourButtmonkey.cn" while they were on their way through the mall to get a Cinnabon. You can see what web address you're about to go to in an email link if you just hover over it, in most email clients (web or not), yet still many people fall for phishing schemes. And that's when you're sitting down at a computer, not walking around in the middle of other things and surrounded by d
Re: (Score:3)
You think anybody is going to be able to check there isn't a malicious script at the end of that? The vast, vast majority of people won't even be able to check the trail beforehand, they either have to click or not click, and it's A FUNNY PICT
Re: (Score:3)
[hackeddomain.com] (Score:2)
I think it's interesting that slashdot got it. Maybe there is no pure security out there, but clearly there are preventative steps that could help.
Re: (Score:2)
I've found it the quickest way to transfer a web address bookmark off my PC and onto my smartphone, without the ******** hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.
Re: (Score:1)
But then you're probably the one generating it. Or should be :p
Re: (Score:2)
Opera Mobile (NOT Opera Mini) also allows you to do this. You can have it sync your bookmarks and saved passwords between devices that you have Opera installed on. Its helpful if you use multiple computers and/or devices. Works with Android, Linux, and Windows. Probably OSX and iOS too, but I dont use those.
Re: (Score:2)
Re: (Score:2)
hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.
Why not use Bluetooth? A bluetooth dongle for your PC costs $20 at WalMart, and if a smart phone didn't have it I wouldn't buy the phone -- hell, I've had dumb phon
Re: (Score:2)
F A C E T I O U S spells facetious. Can you use the word facetious in a sentence?
Although it's equally possible he has a Nokia. What he describes would be a vast improvement over their Ovi suite.
Re:This could be really dangerous! (Score:5, Funny)
This is why I'm sticking with my :CueCat.
Re: (Score:1)
I used a QR code exactly once, when I realized it just went to a video ad, I realized they were just compact banner ads.
Still, if that was a malicious QR code, my phone could have been compromised.
Re: (Score:2)
Still, if that was a malicious QR code, my phone could have been compromised.
More likely (and more easily) your Windows PC when you transferred the files to it. Smartphones are a fractured market, while Windows PCs are a monoculture. Plus, Windows PCs are a lot less secure than any phone. Considering how locked down phones are, they mey even be safer than Macs and Linux.
I don't use QR codes (Score:4, Funny)
No way. Rick Astley? Goatse? Not worth the risk.
Re:I don't use QR codes (Score:4)
I love how those two things are like equally heinous in your book. :)
I scan 'em once in a blue moon, but my phone app shows you the URL and asks confirmation, so at least there's that.
Re: (Score:2)
If we're on Android, and the Google tin foil hat is a nice fit, Google Googles does a good job at reading QR Codes. It too displays all the information before you get a chance to click. It's even picked out QR Codes from teh background of portrait photos, and when I first saw that, it was one of those 'neat' moments.
People are talking about encoded URLs on this thread, but I've had a bit of fun encoding large amounts of text in a QR Code, which was then printed ins
Re: (Score:2)
Re: (Score:2)
One is anous and the other is heinal.
Does anyone use QR codes? (Score:2)
Re:Yes, and my /. id is smaller than yours (Score:4, Funny)
Now I will need to disable them in Google Glasses or something.
The Glasses! They do something!
Re: (Score:2)
Re: (Score:2)
Would malware makers even bother with the stickers if people didn't use them?
That's like asking if people are dumb enough to think they will make millions cashing checks for some lawyer in Nigeria.
Ha, ha, ha, ha, ha, ha, ha, ha.
Re: (Score:2)
Re: (Score:2)
You should stop reading slashdot, it's not for you.
How the fuck do you think the qr code redirected you to the "scratcher" ticket?
Re: (Score:3)
Yes,
They are very useful on real estate For Sale signs.
Re: (Score:2)
More useful than opening Zillow or RedFin, getting a GPS fix, and immediately having all the MLS data?! Not quite sure how, but to each his own.
Re: (Score:2)
I'd hazard a guess that it's far more common that average potential buyers scan the QR codes instead of loading up those apps.
Of course, now I have a good idea where to place my QR stickers...
I don't scan with my feet (Score:2)
I know it's about pedestrian, rather than vehicular, traffic. But for an instant I thought some genius had thought of an exploit for high-tech shoes that had QR code scanners in their soles that linked to their smartphones.
Now that would be a plot for a near future sci-fi novel. A sort of Apple maps-like fiasco that would send hapless pedestrians falling off bridges or onto the freeway.
Norton Snap QR code reader (Score:4, Informative)
Obfuscated URLs (Score:5, Interesting)
Any time you obfuscate the underlying address in a URL you pose a security risk.
QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.
Re: (Score:2)
Each reader I have used show the URL.
If it shows a bit.ly or some other URL shortened crap or even something I do not recognize I skip it.
Re: (Score:2)
Actually, URL shortening services are worse - the malware could be inserted by the shortening service itself. Two points of attack, instead of just one.
It constantly amuses me how many newspapers have articles and editorials saying how evil the Libyan government is - and then they use the bit.ly service to link to other material.
Re: (Score:3)
QR codes can contain more than just a URL.
They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.
Just do it with something like "call this number to get free minutes" or something...
Malicious QR codes are nothing (Score:2)
Haven't We Known This For Centuries? (Score:3)
If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.
Why should sticking a QR code into your phone be any different?
Re: (Score:2)
Why should sticking a QR code into your phone be any different?
less fun?
Re: (Score:2)
Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance?
...uh, because browsers are designed by lonely programmers, instead of bomb squad techs.
Re: (Score:2)
I sometimes do 3, even 4 QR codes in a day, what does that make me?
I've always thought QR codes were dumb. (Score:3)
At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font [wikipedia.org] inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.
This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.
Re: (Score:2)
and 4) if you can't scan the QR code when you see it, you have a reasonable chance of remembering a decent URL; you have zero chance of remembering a QR code.
Re: (Score:1)
Microsoft version of QR codes uses colorful triangles and is effective in the wow-factor. I see used in a local daily newspaper for a lol-cat-type column where they don't want the URL known by us unwashed masses.
Two reasons they are worse than QR codes:
+ Tracking. I am surprised not to have seen anybody mention this, so my guess is that standard QR codes are indeed deterministic and just decode some set graphic to text / url to process according to some type sentinel. The problem here is MS houses a central
Re: (Score:2)
QR codes do just encode straight data, text, or a link, but many of the sites that will generate them for free for you actually generate a link to their own site and forward to your site, so they can be doing the same kind of tracking. The best way to do them is to print the link (or at least the domain) in readable text along with the QR, so that you can at least check that they resolve the same way. There's plenty of free software that will generate good QR codes without the deceit, but most people who
Suprised (Score:2)
Re: (Score:2)
It's also a lot of work compared to other attack vectors.
After finding the obvious exploit and crafting your site (for whatever attack you plan), sending out lots of spam or placing compromised ads will allow you to reach millions of potential victims in a very short time, with limited effort.
Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional rou
Re: (Score:2)
It's also a lot of work compared to other attack vectors.
Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.
And you have to pay actual money for those stickers or fliers that you're sticking to things, and maybe even have to pay someone to do it. More traditional all digital vectors probably give you a lot more bang for the buck.
The gift that keeps on giving (Score:1)
When you put links to Tubgirl and Goetse on top of realtors(estate agents) QR codes
Subversion time. (Score:2)
1. Find film posters.
2. Apply QR code pointing to a pirate source for that film.
3. No profit. That's the idea.
I predict... BlipQRs! (Score:2)
I predict the next QR code attack will be:
Malware QR codes blinked on TV screens, or web pages, just long enough to drive exposed phones and devices to hostile sites.
Sorta like digital subliminals.
I'll risk person has same. (Score:1)
Follow the money. Sooner or later someone has to take money out of the ultimate destination account.
Then, testicleectomy is warranted.