Crazy square barcodes can point your phone to MALWARE Russian VXers have begun using obnoxious barcode-on-steroids QR codes as a launchpad for mobile malware. A recently identified malicious Quick Response code on a Russian website links through a series of redirections to a site punting a Trojan version of the Jimm mobile ICQ client. Android users who follow the links and …
to print with dodgy QR codes and hijack some advertising posters.
While it might not get quite the same uptake as breaking into a mainstream website and inserting malicious code or appropriate protest messages, would it not be somewhat easier simply to stick replacement dodgy codes over the official ones on advertising posters in well attended areas and wait for people to blindly scan them?
(V mask, obviously!)
An attacker could easily print up a poster for a band, a store or whatever is popular that advertises a free app that will send you special offers and giveaways via SMS and show you the latest deals or news.
Or a cheaper way would be to get some printable sticker sheets and place the phoney QR code over legitimate ones. The shopping mall where I live already has QR tags all over the place and I wouldn't be surprised if some of them where booby-trapped given the large population of security researchers.
No. A server URL is human-readable, so if it ends in disney.com, for example, you can decide how much you trust Disney. If a Disney advert has a dodgy-looking URL, you can figure it maybe isn't really Disney. With the barcodes you have no idea where they'll take you so you don't know who you are trusting, and you can't tell if the barcode doesn't match the advert.
with the difference that if I'm looking up info on a product made by Brand X, I can feel fairly safe if the URL starts with X.com
Of course, no guarantees just like everything else, however I would prefer if at least the phone had the option to read the tag and show the URL on the screen WITHOUT connecting to it.
Or any other non-M$ app for that matter, eh ? ;-)
I guess the reason is M$ are pushing thier own QR equiv which had colors and common shapes like triangles etc. I think the problem was it didn't have good error correction, was costlier to print
(in color) and was harder to spot in colored posted with triangles and squares!
...those stupid link shorteners in their scamtastic properties?
"Ooh, shit.ly sounds so cool! Everything-ly makes me sound so distant and yet cool at the same time! Let's start posting links that stop working and rely on some iffy domain registry everywhere on the interwebs!"
"..apart from the fact users might be more trusting about a non-human-readable QR code than a conventional URL."
Yes. Sad but true. People are often more trusting about something they CAN'T READ to verify for themselves than about something they can.
Some of us are very smart. On average, though, we are really damned stupid.
Found two in the wild already. In Vancouver, one stuck to the wall of the City Centre subway station, "Win a fantastic iPad 2" with a QR code - that points to an unrecognizable URL. Another one under a wiper, "Pizza Hut - Win your Pizza" asking me to download a getmobio app then scan the QR code to order the pizza - but the URL is also unrecognizable. The first one is a scam, the second one may be legitimate, but I don't trust either.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
