back to article That square QR barcode on the poster? Check it's not a sticker

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites. QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes ( …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Re: Url warning

"don't deserve the right to have a smart phone."

Suggest you look up the definition of a "right". Ownership of mobile phones isn't generally in there...

0
0

Er duh...

This occurred to me years ago.

What kind of idiot uses these things anyway?

0
1
Anonymous Coward

What kind of idiot uses these things anyway?

Marketing types. Last week I had to visit a printer for some business cards and posters and they tried to sell me their design services, and a key selling point was QR codes on both. I admit the idea looks nice -- people could just click the QR instead of visiting the URL, but I declined.

0
0
Anonymous Coward

Re: What kind of idiot uses these things anyway?

- Go online to one of the free QR code generators.

- Type in your URL, get a GIF/PNG back.

- Put it into your business card design as a custom image.

Don't quite see why that would need custom design services, even if you *did* want to use one on your cards. I wanted to put one in a game I was writing (so people might be tempted to scan it and visit the website for the game, and I was thinking some kind of competition / achievement-related thing might be viable too), and it was actually easier to bundle a QR-generating library that did it on-the-fly than a static image.

(P.S. Business cards? Really? People still use them? My boss bought me 1000 and does every year or so or when a detail changes. I think I have literally given out one, because he was in the same room at the time with a vendor and a business-card swap took place. Strange, because my boss had arranged the meeting with the vendor - and knew the guy by name - and you could call the same place I worked at and get through to me by, well, asking for me by name or even job title. What purpose does a business card serve nowadays precisely, except to clutter the pockets of those people who you're SO important too, that they can't be bothered to remember your company, name or job title?)

0
0
JDX
Gold badge

Re: What kind of idiot uses these things anyway?

Every real businessman I ever met had business cards. Do you think every meeting they have, they whip out their phone and enter you as a new contact or something?

As with many things, the digital equivalent isn't always the best. In the real world, a boss might collect business cards and then get his PA to enter them electronically since he doesn't have time.

3
0
Silver badge
Facepalm

Re: What kind of idiot uses these things anyway?

I stick mine to the products I've commissioned when on a call, and hand them to customers when I've given them training.

Gives the customer a phone number (and website address) reminder when they get stuck. Seems pretty useful given the general complete and total failure of people to look on our website for phone numbers. Or look at our website at all, in many cases.

- Of course, my mobile number is not on the card, just the main office number.

0
0
Gold badge

But is it really a problem?

Come on, quick show of hands, who has used this feature more than once a year?

I genuinely want to know - I myself have used it maybe twice for the novelty value, and if I'm interested in a product I am more likely to use a laptop (this could change when I finally convince myself to buy a tablet of sorts). However, I really have no idea if someone else uses it. I know marketing types get all enthusiastic when you talk about it, but frankly, I have yet to use a QR code in anger.

Opinions?

1
0
Silver badge
Windows

@Fred

I did.

Guess I should also mention that I also got my smartphone this year ;-)

Even so; never on an ad. One time on a product in the super market, and a few times on a Windows Phone website to quickly navigate to an applications download page (initiate the download in your browser (while logged on), and find the results on your phone, pretty neat IMO).

However, I got my phone around March, this only lasted until... No longer than August. I didn't scan any QR code since then.

0
0
Silver badge
Stop

Re: But is it really a problem?

I used my phone QR code reader, but only to check that the QR code on our tradeshow booth pointed where it should (it did). I didn't actually follow the link, just looked at it and declined the "browse to address?" request from my phone. Do other phones just jump straight there? That's daft...

0
0
Silver badge

Re: But is it really a problem?

I have used QR codes to transfer contacts between phones. The free QR code reader app for Android that, yes, I played with for two seconds before getting bored, also allows you to "send to" a QR code which it will display on the screen.

It's a nice way to send contacts and other data (I once sent 32 laptop's Truecrypt passwords that I had stored as memos on the phone via QR code to my laptop running a similar app that I could then put somewhere useful) without opening up your device to networks, turning on Bluetooth (I generally have it off, hidden AND not accepting requests by default anyway), etc.

Apart from that? Never.

0
0

Re: But is it really a problem?

As with most things on El Reg, the people that read and comment are IT savvy and very aware of malware and scams and so won't use QR codes or the like without checking first. We are not the target for these attacks as we are likely to be a bit more careful.

Apart from just playing around in the last 10 minutes to test the Norton app mentioned above, I haven't used QR codes and I don't see that I would, but your average teenager (terrible stereotyping, I know) will see an advert showing the latest fashion items with a QR code to get more details and will be pointing their phone at it in seconds. Seeing a sticker QR code will just mean it's updated, right? It can't be anything bad, right?

The real problem is that people of that ilk will just click "OK" to any warnings or "are you sure" messages because they are just annoying and don't serve any purpose, right?

This is another case where education is what can stop the problem. Educate people that they need to check the link and that it's going to the right site, not a random site with no connection to the actual advert, and there is no issue. As with all things, the problem is carbon based, not technology based!

0
0
Silver badge
Black Helicopters

Snowcrashing!

As as you brain doesn't explode when you look at the sticker's white noise, I can live with this.

4
0

This post has been deleted by its author

Facepalm

Who'd have thunked it?

letters

0
0

Bus stops in Edinburgh have QR codes (there's an android and ipad app to give you the arrival times for the next few buses at a bus stop). The QR code takes you to the bus times app.

Anyway, I think it's a good example of a QR code which is NOT used for advertising.

1
0

Similarly, some stations on the West Coast mainline (with Virgin Trains for the time being) have posters up with QR codes for mini-timetables relating to that particular station. I've seen it at Coventry, but I'm sure it happens elsewhere. Again, corporate but not advertising.

1
0

Ditto First Great Western, but for download versions of their pocket timetables. I've put some of their QR codes on a web site for the benefit of local passengers. The only problem is I don't know if they point to the old timetables or the new ones as I haven't got a smartphone. The poster on their web site hasn't been updated. I need an OSX/RISC OS/Linux program to decode them.

1
0
Anonymous Coward

Or they could just put up a bus timetable.

4
0
Bronze badge

When I was last in Edinburgh, I installed the bus app before going out, then when I was at the bus stop, I found it quicker to type in the numerical code than try and focus on the qr code and get the phone to recognise it.

0
0
Silver badge
Meh

(there's an android and ipad app to give you the arrival times for the next few buses at a bus stop)

But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

0
0
TRT
Silver badge
FAIL

Yeah, I've tried to use some QR codes for parcel tracking... they printed it too small for my iDevice to get it in focus. FAIL. Mind you, if they had have printed it large enough for my device, it would have been about the size of the box itself.

0
0
JDX
Gold badge

>>Or they could just put up a bus timetable.

Which is really confusing when it tries to cram all that data onto one sheet of A4 which then gets defaced by youths or goes out of date.

3
0
Gold badge

But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

Sshh - those are beta test randomisers for the lottery..

1
0

Next Bus/Train?

(there's an android and ipad app to give you the arrival times for the next few buses at a bus stop)

But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

My wife owns an iPhone (I don't) and one of the few apps she has is something she got from the Metro Transit Authority here in DC, the "Next Bus" App, which claims to tell you when the next bus will be arriving based on which stop you tell it you're at (of course). She claims it's quite accurate, at least to within a couple of minutes. I suspect that the countdown displays on your bus stops over there use the same kind of GPS/timetable data that the DC MTA "Next Bus" App uses.

In the DC Metro, we have similar electronic displays on the platforms giving time-to-arrival countdowns for the next three trains. I haven't bothered to time them down to the second, but they're accurate enough.

0
0

>>But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

The Edinburgh ones are amazingly accurate. Sometimes the buses get delayed in traffic, of course, but normally the times are accurate to within a couple of minutes.

0
0
Silver badge
Alert

QR codes

Quite Rarely?

If it looks like an ad, it's probably an ad.

2
0
Facepalm

Anyone who uses a QR code (From Tuesday 13th March 2012)

Thought of this donkeys years ago.

When QR codes were first popularised I .. erm .. someone I met in the pub theorised that a few well placed QR code stickers on a bus stop or shop windows, ideally within view of the pub, would be a very easy method to subvert someone's curiosity and get them to visit a website like tub girl or goatse. We could then laugh at the expressions on their face as they saw the horror. For a laugh, like.

Malware is the obvious extension to this idea.

2
0

But no-one scans them, ever.

http://picturesofpeoplescanningqrcodes.tumblr.com/

A solution looking for a problem.

3
0
Silver badge

BYOD Nightmare

See title

1
0

"I scanned a QR code on an advertising poster and it was really useful"

-- No-one ever.

3
0
Alert

As with most things

To get convenience you sacrifice self-responsibility and security, you do so at your own risk.

1
0

Useful in museums:

http://www.themobilists.com/2011/08/30/qr-codes-in-museums/

1
0
Holmes

A cunning plan indeed, but WHO USES QR CODES?!

0
0
Silver badge

Actually I have on occasion. About the only times I've ever scanned a QR code is on movie posters when I wanted to see a trailer.

Two reasons I don't worry about this 'exploit' though. First, I make sure the QR code I'm scanning isn't on a sticker stuck over the real one. Second, my app gives me a chance to confirm that I really want to go to X URL before it does, so if the URL looks suspicious I just hit cancel.

0
0
Anonymous Coward

FUD

Sure it's possible, but I'm having real difficulty believing it is actually happening. Just more AV vendor fear mongering...

1
0
Alert

Really?

How is this a problem? Which barcode scanners AUTOMATICALLY take you to the destination? the one I use DOESN'T, This is deliberate choice on my part, It will show me the data and then ask me what I want to do. This really isn't much of a problem.. If I don't like the url I won't open it, same as anywhere else. Do you click url's sent to you by text message? I don't. how about urls in random tweets.. nope.. same with QR codes, scan look and decide.

0
0
Meh

QR Codes kinda rubbish, but I like this one

http://images2.wikia.nocookie.net/__cb20120918114431/borderlands/images/6/6c/Borderlands2-moxxipizzabox.jpg

0
0
Anonymous Coward

Same with NFC tags, similar things can be done with that.

But ultimately if you mobile device can be damaged or you can lose data by visiting a URL or scanning an NFC tag then this is a design/security flaw in the device itself.

Android phones for example have taken the example of Microsoft Windows which Microsoft used to cram full of features and cool functionality like ActiveX. But a huge feature count can ultimately be a security hole without a proper security model.

0
0
Anonymous Coward

I'd have gone for a link to a some webpage that would earn cash for clicks and then take the person on to the real site.

Bit like some sort of premium rate phonecall scam

Less chance of being found out, means more earnings in the long run.

0
0

Hmm

- Create webpage with links about Latest Big Thing (I dunno, that vampire flick or some crap)

- Put in lots of adSense too

- Create QR code stickers leading to site

- Stick on Posters in Bus stops and stuff

- insert redundant ?????

- Profit!

1
0
Anonymous Coward

I did this a couple of years ago as a leaving prank at a university. A couple of people knew it was me but just sat back with the popcorn watching the management try and figure it out. As I understand, they also printed some "special" posters with altered codes and deliberately mixed them up with some of the correct posters. Essentially giving a time bomb to the poster team, and removing all blame from me.

0
0
Anonymous Coward

Do you follow every random URL you encounter?

This is no different than following every random URL (e.g. http://littlelamb.example.org) you see on the http://street.example.com, If http://you.follow.example.uk every http://url.example.hk you are http://going.to.have.a.bad.time.example.local.

It's just a bit easier.

0
0
Silver badge

Re: Do you follow every random URL you encounter?

But I agree with Lee Dowling - you SHOULD be able to follow any URL without compromising your device. The fact that you can't is simply due to the fact that a lot of browser security sucks.

0
0
Silver badge

Old news

Scammers have been slapping stickers over QR codes since about the time that QR codes started showing up everywhere. Nothing new here. In fact, I think I recall an article on the subject right here on El Reg a couple years back.

0
0

QR codes are so 2011

However, anyone who still thinks they're cool is a prime victim.....

0
0

How did it take the crooks this long?

One of the first things that came to my mind when I saw QR codes on posters was that someone could put bogus QR stickers over the real ones.

The factory-reset USSD code, when that exploit worked on Samsung's top-line phones, would have been a great choice for that. Except I like Samsung; If there was a nasty exploit like that that worked on iPhones, i'd be tempted to do it (since I don't have any malware or phishing scams to promote)

1
1

Re: How did it take the crooks this long?

It didn't - it took Symantec this long. Or at least this long for a sufficiently dull month in security land for them to sink to this nonsnse.

0
0
MrT
Silver badge

Stop users following dodgy links...

... stick a Microsoft Tag over the QR code instead.

In typical "always bet on a winner" fashion, I decided to put Tags on newsletter articles and the like about three years ago. Now look where they are...

Always bet the opposite to me and you'll do alright.

0
0

Wise advice!

Unfortunately there will always be scammers out there ready to pounce. Thanks for the article - we will definitely pass the word along.

0
0

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017