That square QR barcode on the poster? Check it's not a sticker
Crooks slap on duff codes leading to evil sites
Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites.
QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.
Security watchers have already seen spam messages pointing to URLs that use embedded QR codes. Now crooks have gone one step further by printing out labels and leaving them in well trafficked locations.
Warren Sealey, director enterprise learning and knowledge management, Symantec Hosted Services explained: "we've seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres."
Sealey, made his comments at the Ovum Banking Technology Forum 2012 in London on Wednesday.
Sian John, UK security strategist at Symantec, said: “There has been an explosion in the number of QR codes over the last couple of years, and cybercriminals are taking full advantage. Because QR codes just look like pictures it’s extremely difficult to tell if they’re genuine or malicious, making it easy to dupe passers-by into scanning codes that may lead to an infected site, or perhaps a phishing site.
"If users want to make sure that their mobile is protected they should consider a QR reader that can check a website’s reputation before visiting it,” she added. ®
Re: Devil's Advocate
There's nothing wrong with QR codes, as such. If anything, they are working perfectly.
The problem is, was, and always has been browsers that do not act on the COMPLETELY UNTRUSTED DATA that they receive from the network in the proper fashion (i.e. trusting nothing, and checking everything).
It's like saying that a sticker that says "Stick your head in a gas oven" is dangerous. It might be. But only if you blindly and trustingly follow its instructions without question no matter what the content.
The fix here is not to stop using QR codes - it's to stop using browsers that are so full of "features" that visiting a URL becomes a dangerous gamble. At absolute worst, the browser should do one of those "This page is taking up too much CPU time, do you want to stop it?" messages. It should not crash, try to download, steal data or otherwise exploit your machine. And it's nothing to do with making a "perfect" secure app, which doesn't exist, it's about being sensible with the data you're given, i.e. not running scripts, plugins, triggering downloads, etc. by default.
I use Opera and when we have a "dodgy" URL come up in my workplace (a school), I often have to trace it back to the original user. This usually means going to the server logs and copy/pasting suspected bad URL's from them to check their content. Although I run it in a VM in those instances (no use ASKING for trouble), Opera, by default, just doesn't let you do anything stupid and has the least number of vulnerabilities published for it (and has had since about Opera 3.5). I can literally just copy/paste a known exploit URL in there and 99.9% of them won't work (because they rely on Java, ActiveX, or some other junk) and the ones that "try" to work by triggering downloads, running executables, opening lots of pages, etc. or even crashing the browser I can easily cancel before they can do any damage.
And even then, they can't jump out of the virtual machine even if I just used IE and double-clicked everything. If you can do that in a VM, you can push also that separation-while-enjoying-full-functionality down to the application (the VM is nothing but an application).
There's nothing wrong with QR codes that isn't also wrong with bookmarks/favourites, URL's in your IM, URL's themselves(!), URL shortening services or just about any method to transfer a URL (e.g. that "bump-together" junk that's in smartphones now). The problem is in browsers that don't treat untrusted HTML data off a network as exactly that - untrusted.
Re: Url warning
Mine (free off android) pops up something like "The URL is http:\\blahblah are you sure you want to?"
I guess some people are idiots and don't deserve the right to have a smart phone.
Been around for a while.