Security researchers have spotted spam emails that point at URLs featuring embedded Quick Response codes (QR codes). QR codes are a two-dimensional matrix barcode that can be scanned by a camera phone to link users directly to a website that can host any type of content, malicious or otherwise. By using QR codes (rather than …
Don't get it...
What compels people to scan the dodgy QR code?
How can you, or anyone else, tell what a dodgy QR code looks like? Unless compared side by side they all look the same; they are not human readable.
Try the experiment: create a QR code, paste it over a genuine QR code on a poster, observe result...
My impression is that it's your usual "ch3ap v1agr4 goto ww.hax.1113331h.ru" with a QR code afterwards.
Then again, people still fall for Nigerian 419 scams, and then there's the Brown Box...
If you're using a BIND resolver, you can use Response Policy Zones (RPZs) so that malicious domains are not resolved. Ultimately, it doesn't matter where the URL comes from - a link in a spam email, from a "friend" or a QR code, by catching at the DNS level, the problem is somewhat mitigated.
Of course there will be those who complain about loss of freedom - but as a last resort, they can use their own recursive resolvers if they so wish. For the 99.8% of average users, this seems to be a viable mitigation strategy.
Or they could just embed an IP address in the QR code.
Irrespective of technical solutions...
why would anyone click on a link they can't read? It requires a level of trust I just don't have...
However there are bridges to be sold :-)
That's not how it works (typically). You just scan the code with your phone and it takes you there straight away. I don't think most people have made the connection that this is the same as clicking on a mysterious link. To be fair, most devices probably allow you to disable that behavior, but it would have to occur to someone why the default is unsafe before they would do that.
Yeah I never use QR codes. And if something fails to provide a human-readable alternative, then they don't get my traffic.
Weird... I don't use QR codes very often, but whenever I scan one with my phone, it superimposes the actual URL over the image from the camera, and I have to actually click on "accept" to go to the site.
That way I can read the link before clicking on it... I thought this would be the standard behavior, but I'm probably wrong
Lots of people
Like those that think things like tinyurl and bitly are a good idea. If I can't see where the link is trying to send me then I don't go but many people do.
why would you even scan a spam email with your phone? You'd have to either print it out, or click a picture of a monitor with the barcode displayed on it. You'd think that anyone that would follow links in junk mail wouldn't have enough together to start up a scanner app. There must be something missing here.
I really like QR codes because they're easy to make and you can embed a lot of data in them (my employer has a QR code vcard feature embedded into the corporate phone book, so you can can add names to your phone book by scanning the screen once you've looked up a name). But it's not something you're going to kick off by mistake.
So how do you tell from a "human readable" URL if the destination page contains malware? Personally I never visit a page unless the author has provided me with a print copy of the source code in advance...
Easy, it ends in
a solution in how to educate users...
When I first saw your headline, I read, "a solution in how to eradicate users..." Perhaps something some of the other posters here are looking for, too.
I've found the QR codes somewhat strange, if for nothing else than for your actively asking for more advertisements. I could see, maybe, having it automatically send you back (or having -you- send you back, really) a link to whatever the thing is, so you remember it. That makes a bit more sense. But going straight to a web site that serves another ad? It just seems bizarre. Please, sir, can I have some more? Or, for fans of Max Mosley - "I think you need some more of the punishment!"
I scan QR codes regularly...
...but the barcode Scanner program I use for the job doesn't open the site right away. It displays the decoded URL, then lets me decide.
Did you know :)
Did you know that QR codes are really msgs sent by shape shifting reptiles from the constellation Draco, or at least that's what a nutter I ran into in an Internet Cafe told me ...
That was Philip K. Dick, you illiterate person!
They're the new fuckwit.ly link-shortener scam vehicle.
It's a trust thing
I think most people who use QR codes realise what they are for. No one in their right mind is going to click a link in a spam msg, and then scan a QR code out of curiosity. There again, there are a lot of people not in their right mind...
It's a shame the spammers are abusing QR codes but as with everything those days, you have to consider whether you trust the source, and if that email message, tweet, blog or Facebook post was actually created by the assumed author.
Disclaimer: We operate a free online QR code generator and tracking service at http://snap.vu. Like any similar service this could be abused by spammers to generate QR codes but a quick glance through the table listing many 1000s of redirect URLs assures me that it is being used for education purposes and legitimate marketing activities. So QR codes are just another tool that can be abused - is there any news in that?