Feeds

back to article That square QR barcode on the poster? Check it's not a sticker

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites. QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Devil's Advocate

We need a new profession (ideal for all the EEyors and Marvins of the world) - professional naysayer. Someone whose job it is to find fault with new ideas (like QR barcodes).

Then again, they could just post their brilliant concepts here, and have it done for free.

5
9
Silver badge

Re: Devil's Advocate

There's nothing wrong with QR codes, as such. If anything, they are working perfectly.

The problem is, was, and always has been browsers that do not act on the COMPLETELY UNTRUSTED DATA that they receive from the network in the proper fashion (i.e. trusting nothing, and checking everything).

It's like saying that a sticker that says "Stick your head in a gas oven" is dangerous. It might be. But only if you blindly and trustingly follow its instructions without question no matter what the content.

The fix here is not to stop using QR codes - it's to stop using browsers that are so full of "features" that visiting a URL becomes a dangerous gamble. At absolute worst, the browser should do one of those "This page is taking up too much CPU time, do you want to stop it?" messages. It should not crash, try to download, steal data or otherwise exploit your machine. And it's nothing to do with making a "perfect" secure app, which doesn't exist, it's about being sensible with the data you're given, i.e. not running scripts, plugins, triggering downloads, etc. by default.

I use Opera and when we have a "dodgy" URL come up in my workplace (a school), I often have to trace it back to the original user. This usually means going to the server logs and copy/pasting suspected bad URL's from them to check their content. Although I run it in a VM in those instances (no use ASKING for trouble), Opera, by default, just doesn't let you do anything stupid and has the least number of vulnerabilities published for it (and has had since about Opera 3.5). I can literally just copy/paste a known exploit URL in there and 99.9% of them won't work (because they rely on Java, ActiveX, or some other junk) and the ones that "try" to work by triggering downloads, running executables, opening lots of pages, etc. or even crashing the browser I can easily cancel before they can do any damage.

And even then, they can't jump out of the virtual machine even if I just used IE and double-clicked everything. If you can do that in a VM, you can push also that separation-while-enjoying-full-functionality down to the application (the VM is nothing but an application).

There's nothing wrong with QR codes that isn't also wrong with bookmarks/favourites, URL's in your IM, URL's themselves(!), URL shortening services or just about any method to transfer a URL (e.g. that "bump-together" junk that's in smartphones now). The problem is in browsers that don't treat untrusted HTML data off a network as exactly that - untrusted.

24
0
Holmes

Re: Devil's Advocate

The profession already exists: tester

It's very foolish to let New Stuff into the wild without at least some degree of checking on potentially dodgy applications....

4
0
Silver badge
Coat

Re: professional naysayer.

Woe, Woe and Thrice Woe. Citizens of the web, repent your ways...

1
0

Opera 12.11 does have a teeny embarrassing vulnerability at the moment

And probably always has, at least for a long time, since it's a type of malformed GIF that can crash the browser or theoretically execute arbitrary code. It seems that some bastard researcher published it to the world as soon as he found it.

It seems to be fixed in the snapshot preview release of Opera 12.12, so you want to install that ASAP or when released generally. And meanwhile maybe browse without images or program your firewall to treat the string "GIF89" as a virus. (I think I've seen Javascript load up images when I was using cached-image-only mode, but no-images-at-all may be more robust.)

1
0

Re: Devil's Advocate

The answer is to stop using QR codes.

Firstly I can read a URL but I can't read a QR code.

Secondly I know which web sites I have bookmarked - thanks.

Thirdly I don't have time or the inclination like most users or luxury of using a VM so I cant kill off my system if it gets infected by malware. .

QR codes are just another gimmick from the marketing world and hopefully die off together with tiny urls

1
1
Gold badge

We need a new profession: professional naysayer.

Feck off, that's my job. I don't need the competition, mate.

0
0
MrT
Bronze badge

Finally...

... a reason to use Aurasma.

And it also answers the security issue because most of the time their links don't and active content isn't.

0
0
Thumb Down

QR codes...

...Are shite.

0
0
Thumb Up

Re: Firstly I can read a URL but I can't read a QR code.

When I scan a QR code, the app that reads it pops up "Do you wish to visit www.whatever.co.uk" and gives me the choice to go there or not.

So, I can effectively read a QR code just as well as I can read a URL.

0
0
Silver badge

Rickrolling

Been around for a while.

9
0
Thumb Up

Re: Rickrolling

Indeed. I thought of this the moment i first saw one.

0
0
Silver badge
Facepalm

Three words...

'Told you so!'

Damn, now they'll all think it was me!

0
0
Unhappy

Re: Rickrolling

Rickrolling was one of my later thoughts to be honest.

My first was LemonParty, then BlueWaffle. Then a classic Goatse or even 2G1C.

Thinking of Rickrolling was a kind of relief after that.

5
0
Anonymous Coward

Goatse been done.

By friends of mine earlier this year in my local area. For the lulz, of course.

1
0
Anonymous Coward

Re: Rickrolling

We're no strangers to love

You know the rules ... and so do I

A full commitment's what I'm ... thinkin' of

You wouldn't get this from any other guy

I just wanna tell you how I'm feeling

Gotta make you ... understand

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

We've known each other ... for so long

Your heart's been aching, but ... you're too shy to say it

Inside we both know what's been ... goin' on

We know the game and we're ... gonna play it

And if you ask me how I'm feeling

Don't tell me you're to ... blind to see

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

Oooooooooh ... give you up

Oooooooooh ... give you up

Never gonna give never gonna give

Give you up

Never gonna give never gonna give

Give you up

We've known each other ... for so long

Your heart's been aching, but ... you're too shy to say it

Inside we both know what's been ... goin' on

We know the game and we're ... gonna play it

I just wanna tell you how I'm feeling

Gotta make you ... understand

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

Never gonna give you up

Never gonna let you down

Never gonna run around and desert you

Never gonna make you cry

Never gonna say goodbye

Never gonna tell a lie and hurt you

0
0

Coincidentally...

Symantec have launched one:

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v64690996_EndUserProfile_en_us&product=home&pvid=f-home&version=1&lg=en&ct=us

1
0
JDX
Gold badge

Quite a neat idea, well done crims.

8
0
Meh

Meh, I wouldn't grant them a patent on the technique, some of us cam up with that idea as soon as we heard about QR codes.

And I've still *never* seen anyone use one.

2
0
Bronze badge
2
0
Silver badge
Pint

"And I've still *never* seen anyone use one."

Based on the number of "You BASTARD!" comments and texts I've had in the wake as using a Rickrolling QR code as an avatar to trick the curious, I think you may be incorrect!

2
1
Bronze badge

Re: Does anyone use them?

"Sian John, UK security strategist at Symantec, said: “There has been an explosion in the number of QR codes over the last couple of years,..."

Explosion where? I first saw QR codes in Dec 2004, in Tokyo, and probably as early as May of that year in Japanese magazines at Kinokuniya book stores in the SF area. But, i only positively recall seeing them upon arriving in JP that year. Back then, and in 2005, using a phone camera in USA stores elicited scorn or threats of ejection. In Japan, consumers were EXPECTED to comparison shop, outright encouraged to do so. Empowering and informing the consumer. The less hip, less informed of USA merchants feared it, and took years to widespread adopt QR codes. Even shipping, airliner, and courier companies jumped on it sooner than retailers, if i recall correctly.

2
2
Silver badge
Unhappy

@ JDX

Not "well done", but certainly ingenious.

0
0
Silver badge

@Marketing Hack

It's kinda like a steak, "well done" is most assuredly not well done.

1
0
Anonymous Coward

The pron industry and crims, the two biggest drivers of web technologies.

0
1

I just used one with the google authenticator app. Barcode in the browser on the desktop computer and barcode reader on the phone for two phase authentication.

0
0
Bronze badge

Re: Does anyone use them?

Ah, another down-thumb, on something that the downthumber cannot justify down-thumbing.

Shit, I think I will go have a drink.

Thanks, a LOT!

1
2
Silver badge
Boffin

Same old, same old...

Can't see where you're going? Can see but don't know where it is? Then don't go there... it's not rocket science!

I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

6
0

Re: Same old, same old...

we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

There are some other uses - like embeded vcards on the back of you buisness cards to allow quick digitisation of the contacts details.

3
2
Thumb Up

Re: Same old, same old...

Yup we have a staff wifi access point QR code too, only seems to allow connect on Android though, iphone reads it but does not allow you to connect.

We also have a QR code on our corporate headed paper, it contains a business card with our phone numbers Address, website and email. just scan and save our business to your phones address book. or just scan to call/email etc.

0
0
Silver badge

Re: Same old, same old...

It's also a very convenient way to point smartphone users at app (or other) downloads from a PC browser.

The QR reader I use shows the decoded data and waits for the user to choose what to do with it. In theory safer than a traditional hyperlink because you always see the unobfuscated content before accepting it, something you actively need to check with a hyperlink.

You still need some way of assessing the trustworthiness of the exposed link but that's true for any link. Seeing a sticker slapped on a poster is a pretty big clue not to trust it though.

3
0
Bronze badge

Re: Same old, same old...

I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

Y'know, I'd never really thought of that. There may be other uses for them, for sure, but most of the time, in all my comings and goings, the vast majority of QR codes I see have been in the context of advertising.

0
0
Silver badge
Thumb Up

Re: Same old, same old...

we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

So all a hacker needs is some stickers and a wifi bridge or two, and voila - man-in-the-middle!

1
0
Silver badge

Re: So all a hacker needs is some stickers

And access to the building! If the baddies are inside then dodgy QR codes may well be the least of your worries...

0
0

This post has been deleted by its author

to be honest, im surprised its taken this long to become an issue... the number of these things ive seen spring up, with no accompanying text is quite alarming and I live out in the sticks!

even ive been tempted to make my own QR labels - nothing evil, just pointing to an educational site saying - 'you were lucky this time' and see how much traffic I can generate!

6
0

I did it a couple of years ago when QR codes first appeared. My QR code just redirected to a website that had the message "stop buying useless crap"

2
0
JDX
Gold badge

What a witty and interesting person you must be.

3
6

I thaught that hello.jpg would be a better target. Alas, I should have acted on that impulse.

Would still be fun to slap in the bathroom of random pubs though, especially near the sink.

0
1

The library one

I liked the university library one linked here last time we discussed these.

When scanned, it said "Please turn off your mobile phone"

I know of two other libraries which now have the same design in strategic locations.

0
0
Silver badge
Thumb Down

Re: The library one

Why would I turn off my phone in the library?

I would think putting it on "silent" (which is what I do) would be fine.

0
0
Silver badge
FAIL

Symantec and The Reg on the ball as usual

"Posted by Katleen Richardson on Thu, Feb 02, 2012 @ 01:18 PM"

http://www.marketing-advantedge.com/blog/bid/122193/Beware-of-fake-QR-codes

3
1

Re: Symantec and The Reg on the ball as usual

Recently I tried to find the original date of a TV show that quoted a report of incautious young people using nutmeg as an hallucinogen. (It actually is, apparently, but it's less fun than some other ones - but you can buy it in supermarkets.)

But I couldn't tell when - because it's a story that keeps coming up again and again.

0
0
Silver badge

Re: using nutmeg as an hallucinogen.

I wouldn't recommend that, I believe hallucinogenic doses of nutmeg can also be harmful, even occasionally fatal. Tripping while suffering from palpitations, convulsions and nausea is probably not much fun. There are much less risky hallucinogens around if you must partake.

0
0
Silver badge
Devil

Re: using nutmeg as an hallucinogen.

There was an article in NewScientist back in the 90's about bad tripping on nutmeg.

und.. und..... MUSKATNUSS! MUSKATNUSS HERR MÜLLER!! HABEN SIE VERSTANDEN, HERR MÜLLER?

0
0

Is it a problem though?

I see lots of QR codes on advertising but I don't think I've once seen anyone scan one, and I don't suppose I ever would.

1
0
Gold badge
Meh

Fruit altitude.

Well, if you have your device configured to fire the action associated with a QR code immediately, rather then presenting you with what it's about to do or where it's about to go and asking for your confirmation, congratulations! You are low-hanging fruit.

The only surprise here is that its taken the scrotes this long to spot the obvious boot-filling opportunity for presenting obfuscated URLs to mugs.

I'm still waiting for the howls of anguish when some mob compromises one of the URL-shortening services though......

2
0
Bronze badge
Meh

Url warning

I never used QR codes myself (no need), and maybe this is implemented already but, none of the QR readers out there display a message about the url the user is going to visit?

0
0
Thumb Up

Re: Url warning

Mine (free off android) pops up something like "The URL is http:\\blahblah are you sure you want to?"

I guess some people are idiots and don't deserve the right to have a smart phone.

10
0
JDX
Gold badge

Re: Url warning

I think mine (built into search on WindowsPhone) shows the URL floating about too.

And pur-leeeze. Nobody has the 'right' to a smartphone you arrogant pin-head. Since 90%+ of IT is used by "idiots" I think you should be careful what you wish for, lest you find yourself out of a job.

2
1

Page:

This topic is closed for new posts.