Sign in / up

back to article Spammers hit mobes with QR code junkmail jump pads

Security researchers have spotted spam emails that point at URLs featuring embedded Quick Response codes (QR codes). QR codes are a two-dimensional matrix barcode that can be scanned by a camera phone to link users directly to a website that can host any type of content, malicious or otherwise. By using QR codes (rather than …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. scarshapedstar
    WTF?

    Don't get it...

    What compels people to scan the dodgy QR code?

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      What compels?

      How can you, or anyone else, tell what a dodgy QR code looks like? Unless compared side by side they all look the same; they are not human readable.

      Try the experiment: create a QR code, paste it over a genuine QR code on a poster, observe result...

      0 0
      1. scarshapedstar
        Reply Icon
        Holmes

        Well

        My impression is that it's your usual "ch3ap v1agr4 goto ww.hax.1113331h.ru" with a QR code afterwards.

        Then again, people still fall for Nigerian 419 scams, and then there's the Brown Box...

        http://encyclopediadramatica.ch/Brown_box

        1 0
    2. PeteA
      Reply Icon

      They're both curious and not computer literate; enough education to know that you don't click on links in spam email, but not enough to know that you don't invoke any function that could potentially execute hostile code (in the form of javascript) without thinking about what you're doing.

      0 0
  2. Fat Freddie's Cat

    If you're using a BIND resolver, you can use Response Policy Zones (RPZs) so that malicious domains are not resolved. Ultimately, it doesn't matter where the URL comes from - a link in a spam email, from a "friend" or a QR code, by catching at the DNS level, the problem is somewhat mitigated.

    More at:

    http://www.isc.org/community/blog/201007/taking-back-dns-0

    Of course there will be those who complain about loss of freedom - but as a last resort, they can use their own recursive resolvers if they so wish. For the 99.8% of average users, this seems to be a viable mitigation strategy.

    0 0
    1. Old Handle
      Reply Icon

      Or they could just embed an IP address in the QR code.

      0 0
  3. Neil Barnes Silver badge
    WTF?

    Irrespective of technical solutions...

    why would anyone click on a link they can't read? It requires a level of trust I just don't have...

    2 0
    1. Neil Greatorex
      Reply Icon

      Quite

      However there are bridges to be sold :-)

      0 0
    2. Old Handle
      Reply Icon

      That's not how it works (typically). You just scan the code with your phone and it takes you there straight away. I don't think most people have made the connection that this is the same as clicking on a mysterious link. To be fair, most devices probably allow you to disable that behavior, but it would have to occur to someone why the default is unsafe before they would do that.

      0 2
      1. Pet Peeve
        Reply Icon
        WTF?

        why would you even scan a spam email with your phone? You'd have to either print it out, or click a picture of a monitor with the barcode displayed on it. You'd think that anyone that would follow links in junk mail wouldn't have enough together to start up a scanner app. There must be something missing here.

        I really like QR codes because they're easy to make and you can embed a lot of data in them (my employer has a QR code vcard feature embedded into the corporate phone book, so you can can add names to your phone book by scanning the screen once you've looked up a name). But it's not something you're going to kick off by mistake.

        0 0
    3. batfastad
      Reply Icon
      WTF?

      Yeah I never use QR codes. And if something fails to provide a human-readable alternative, then they don't get my traffic.

      2 0
      1. Ned Ludd
        Reply Icon
        FAIL

        So how do you tell from a "human readable" URL if the destination page contains malware? Personally I never visit a page unless the author has provided me with a print copy of the source code in advance...

        2 0
        1. Francis Boyle Silver badge
          Reply Icon

          Easy, it ends in

          .ru

          0 0
    4. A. Coatsworth Silver badge
      Reply Icon
      Facepalm

      Weird... I don't use QR codes very often, but whenever I scan one with my phone, it superimposes the actual URL over the image from the camera, and I have to actually click on "accept" to go to the site.

      That way I can read the link before clicking on it... I thought this would be the standard behavior, but I'm probably wrong

      6 0
    5. EyeCU
      Reply Icon
      Unhappy

      Lots of people

      Like those that think things like tinyurl and bitly are a good idea. If I can't see where the link is trying to send me then I don't go but many people do.

      3 0
  4. Anonymous Coward
    Anonymous Coward

    a solution in how to educate users...

    http://bradcolbow.com/archive/view/the_brads_qr_codes/

    ;-)

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      When I first saw your headline, I read, "a solution in how to eradicate users..." Perhaps something some of the other posters here are looking for, too.

      I've found the QR codes somewhat strange, if for nothing else than for your actively asking for more advertisements. I could see, maybe, having it automatically send you back (or having -you- send you back, really) a link to whatever the thing is, so you remember it. That makes a bit more sense. But going straight to a web site that serves another ad? It just seems bizarre. Please, sir, can I have some more? Or, for fans of Max Mosley - "I think you need some more of the punishment!"

      0 0
  5. Charles 9

    I scan QR codes regularly...

    ...but the barcode Scanner program I use for the job doesn't open the site right away. It displays the decoded URL, then lets me decide.

    2 0
  6. Anonymous Coward
    Anonymous Coward

    Did you know :)

    Did you know that QR codes are really msgs sent by shape shifting reptiles from the constellation Draco, or at least that's what a nutter I ran into in an Internet Cafe told me ...

    0 0
    1. Destroy All Monsters Silver badge
      Reply Icon
      Coat

      That was Philip K. Dick, you illiterate person!

      1 0
  7. Anonymous Coward
    Anonymous Coward

    QR codes...

    They're the new fuckwit.ly link-shortener scam vehicle.

    0 0
  8. Paul Stephenson

    It's a trust thing

    I think most people who use QR codes realise what they are for. No one in their right mind is going to click a link in a spam msg, and then scan a QR code out of curiosity. There again, there are a lot of people not in their right mind...

    It's a shame the spammers are abusing QR codes but as with everything those days, you have to consider whether you trust the source, and if that email message, tweet, blog or Facebook post was actually created by the assumed author.

    Disclaimer: We operate a free online QR code generator and tracking service at http://snap.vu. Like any similar service this could be abused by spammers to generate QR codes but a quick glance through the table listing many 1000s of redirect URLs assures me that it is being used for education purposes and legitimate marketing activities. So QR codes are just another tool that can be abused - is there any news in that?

    0 0
This topic is closed for new posts.