{"id":11977,"date":"2012-01-17T18:08:13","date_gmt":"2012-01-17T23:08:13","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=11977"},"modified":"2021-08-10T18:07:21","modified_gmt":"2021-08-10T22:07:21","slug":"qr-codes-can-put-users-at-risk","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/qr-codes-can-put-users-at-risk\/","title":{"rendered":"QR Codes Can Put Users at Risk"},"content":{"rendered":"

-Updated 01-26-12-<\/strong> It was just a matter of time and now the Websense<\/a> (WBSN<\/a>) ThreatSeeker Network<\/a> has started spotting spam messages that lead to URLs that use embedded QR codes. According to a report<\/a> at Help Net Security,<\/em> this is a clear evolution of traditional spammers towards targeting mobile technology. The spam email messages look like traditional pharmaceutical spam emails and contain a link to the Web site 2tag.nl. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL. When the QR code is read by a QR reader, it automatically loads the spam URL.<\/p>\n

—<\/strong><\/p>\n

\"QRQuick Response codes (QR codes<\/a>)<\/strong> are a “new” type of barcode<\/strong> that can be used for a variety of purposes tracking, ticketing, labeling of products, etc. They can be put anywhere<\/strong>, in magazines, buses, websites, TV, tickets, and on almost any object which they might want to learn more about.<\/p>\n

\"QRHelp Net Security<\/em> writes that when used for legitimate purposes, they make life easier for users. “All you need to ‘visualize such a code is a smartphone with a camera and a QR reader application to scan it \u2013 the code can direct you to websites or online videos, send text messages and e-mails, or launch apps,” point out<\/a> BullGuard’s<\/a> researchers.<\/p>\n

Unfortunately, QR codes can just as easily be used to compromise users’ mobile devices. “Much like URL shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception,<\/em>” Joe Levy<\/a>, CTO of Solera Networks<\/a> told<\/a> DarkReading<\/em><\/a>. “QR codes … provide a direct link to other smartphone<\/a> capabilities such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities.”<\/em><\/p>\n

\"Mobile<\/a>There are several ways attackers are already using malicious QR codes<\/a> to perpetrate their scams. A recent attack via QR code “Attaging” took place in Russia and involved a Trojan disguised as a mobile app called Jimm<\/a>. Once installed, \u201cJimm\u201d sent a series of expensive text messages ($6 each), racking up unwanted charges.<\/p>\n

On\u00a0Apple<\/a> (AAPL<\/a>) iOS<\/a> devices, hackers are sending users to websites that will jailbreak the device and install more malicious malware. Tomer Teller, security evangelist at Check Point Software Technologies<\/a>, told DarkReading<\/em>, “a user scans a barcode and is redirected to an unknown website … the user phone will be jailbroken and additional malware could be deployed (such as key loggers and GPS trackers).<\/em>”<\/p>\n

\"Google<\/a>“On the Google<\/a> (GOOG<\/a>) Android<\/a>\u00a0 … Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode and it will redirect to a website that will download the Android Application<\/em>” according to the article.<\/p>\n

In addition, attackers are using QR codes to redirect users to fake websites for phishing. “A QR code will redirect to a fake Bank that will look exactly like your bank. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her (information) and hand it to the attackers,”<\/em> Teller says. According<\/a> to Mobile Commerce News<\/em><\/a> some apps, like the NeoReader from Neomedia, that collect personally identifiable information (PII<\/a>). This information is then sent to third parties who mine the data and possibly resell it.<\/p>\n

\"mobile<\/a>The trend to mobile QR-based payment systems from firms like LevelUp<\/a>, Kuapay,<\/a> and Paypal<\/a> are developing will drive QR code malware forward Mr. Levy says. “As our mobile devices and our wallets continue to converge through such technologies as near field communications (NFC<\/a>), Bump<\/a> and QR, malware authors are bound to prefer these very direct paths to the money. After all, these devices and apps are well on the road to becoming our new currency.”<\/p>\n

So how do you protect yourself and the data on your mobile?<\/p>\n