The Register® — Biting the hand that feeds IT

Feeds

That square QR barcode on the poster? Check it's not a sticker

Crooks slap on duff codes leading to evil sites

By John Leyden, 10th December 2012
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.

QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.

Security watchers have already seen spam messages pointing to URLs that use embedded QR codes. Now crooks have gone one step further by printing out labels and leaving them in well trafficked locations.

Warren Sealey, director enterprise learning and knowledge management, Symantec Hosted Services explained: "we've seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres."

Sealey, made his comments at the Ovum Banking Technology Forum 2012 in London on Wednesday.

Sian John, UK security strategist at Symantec, said: “There has been an explosion in the number of QR codes over the last couple of years, and cybercriminals are taking full advantage. Because QR codes just look like pictures it’s extremely difficult to tell if they’re genuine or malicious, making it easy to dupe passers-by into scanning codes that may lead to an infected site, or perhaps a phishing site.

"If users want to make sure that their mobile is protected they should consider a QR reader that can check a website’s reputation before visiting it,” she added. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (97)
Highly Rated
Lee Dowling
Reply Icon

Re: Devil's Advocate

There's nothing wrong with QR codes, as such. If anything, they are working perfectly.

The problem is, was, and always has been browsers that do not act on the COMPLETELY UNTRUSTED DATA that they receive from the network in the proper fashion (i.e. trusting nothing, and checking everything).

It's like saying that a sticker that says "Stick your head in a gas oven" is dangerous. It might be. But only if you blindly and trustingly follow its instructions without question no matter what the content.

The fix here is not to stop using QR codes - it's to stop using browsers that are so full of "features" that visiting a URL becomes a dangerous gamble. At absolute worst, the browser should do one of those "This page is taking up too much CPU time, do you want to stop it?" messages. It should not crash, try to download, steal data or otherwise exploit your machine. And it's nothing to do with making a "perfect" secure app, which doesn't exist, it's about being sensible with the data you're given, i.e. not running scripts, plugins, triggering downloads, etc. by default.

I use Opera and when we have a "dodgy" URL come up in my workplace (a school), I often have to trace it back to the original user. This usually means going to the server logs and copy/pasting suspected bad URL's from them to check their content. Although I run it in a VM in those instances (no use ASKING for trouble), Opera, by default, just doesn't let you do anything stupid and has the least number of vulnerabilities published for it (and has had since about Opera 3.5). I can literally just copy/paste a known exploit URL in there and 99.9% of them won't work (because they rely on Java, ActiveX, or some other junk) and the ones that "try" to work by triggering downloads, running executables, opening lots of pages, etc. or even crashing the browser I can easily cancel before they can do any damage.

And even then, they can't jump out of the virtual machine even if I just used IE and double-clicked everything. If you can do that in a VM, you can push also that separation-while-enjoying-full-functionality down to the application (the VM is nothing but an application).

There's nothing wrong with QR codes that isn't also wrong with bookmarks/favourites, URL's in your IM, URL's themselves(!), URL shortening services or just about any method to transfer a URL (e.g. that "bump-together" junk that's in smartphones now). The problem is in browsers that don't treat untrusted HTML data off a network as exactly that - untrusted.

24
0
Avatar of They
Reply Icon

Re: Url warning

Mine (free off android) pops up something like "The URL is http:\\blahblah are you sure you want to?"

I guess some people are idiots and don't deserve the right to have a smart phone.

10
0
Ole Juul

Rickrolling

Been around for a while.

9
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39
Internet fraud still stings suckers
Australians twice as gullible as Americans
35