Malicious QR Code Use On the Rise

← Back to Stories (view on slashdot.org)

Malicious QR Code Use On the Rise

Posted by Soulskill on Friday December 30, 2011 @06:07AM from the time-to-incorporate-rorschach-verification-tech dept.

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

44 of 234 comments (clear)

Min score:

Reason:

Sort:

Just like with TinyURL... by dotancohen · 2011-12-30 06:09 · Score: 4, Interesting

Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.

--
It is dangerous to be right when the government is wrong.
1. Re:Just like with TinyURL... by SQLGuru · 2011-12-30 06:26 · Score: 5, Insightful
  
  I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.
  I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.
2. Re:Just like with TinyURL... by bmo · 2011-12-30 06:30 · Score: 5, Informative
  
  >With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.
  That is why God made preview.tinyurl.com
  --
  BMO
3. Re:Just like with TinyURL... by jhoegl · 2011-12-30 06:36 · Score: 5, Funny
  
  I made no such thing mere mortal!
4. Re:Just like with TinyURL... by GIL_Dude · 2011-12-30 06:58 · Score: 5, Interesting
  
  For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.
5. Re:Just like with TinyURL... by Fez · 2011-12-30 07:00 · Score: 5, Informative
  
  Which is where LongURL comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.
6. Re:Just like with TinyURL... by allo · 2011-12-30 08:05 · Score: 2
  
  tinyurl.com/bla -> preview.tinyurl.com/bla. Much easier, because it even works without cookies
7. Re:Just like with TinyURL... by dotancohen · 2011-12-30 08:20 · Score: 2
  
  That is why God made preview.tinyurl.com
  --
  BMO
  1) That wasn't God, that was a computer programmer.
  2) You still have to trust TinyURL. If TinyURL is compromised or malicious, then I am at risk or blocked. TinyURL is a US company, so it someone uses a TinyURL to point to a Syrian website, I might not be able to get through. Likewise, if TinyURL itself is hacked, I am vulnerable.
  
  --
  It is dangerous to be right when the government is wrong.
8. Re:Just like with TinyURL... by SQLGuru · 2011-12-30 10:39 · Score: 2
  
  Clipboard and the + sign?
  http://security.thejoshmeister.com/2009/04/how-to-preview-shortened-urls-tinyurl.html
  Or, you know, don't click it.
9. Re:Just like with TinyURL... by bmo · 2011-12-30 13:12 · Score: 2
  
  I don't know what, exactly, your fixation is on me, but I am flattered that I have my own little pet stalker on Slashdot.
  --
  BMO
  Boyle M. Owl
  George L. Tirebiter
  Hemlock Stones
  among many other names.
10. Re:Just like with TinyURL... by hairyfeet · 2011-12-30 13:39 · Score: 2
  
  Here's what I don't get, maybe someone can tell me what i missed: What EXACTLY do you want or need the QR codes for anyway? Is there someone going "ZOFG I must go to a company's bullshit PR website NOW dammit!"? I mean with every damned smartphone on the planet having Google what is the point? Hell at my local Wally world they even have a couple of display units hooked up to Google so if they don't know the answer to a question they'll help you Google the damned answer and at least that way you'll get an honest answer and not PR BS like you get on corp websites.
  So maybe its just me but I haven't ever seen anything on a corp website I'd frankly believe, if they told me it was raining i'd want a second opinion, so to me these QR codes make about as much sense as the Cuecat. If you need to know about a product why not just Google the damned thing or check the reviews on Amazon? What benefit does this QR code stuff give you that negates the risks in TFA AND the likelihood that everything you read will be spin?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
11. Re:Just like with TinyURL... by EvilIdler · 2011-12-30 17:40 · Score: 2
  
  QR codes are a handy way to grab some URL for a site quickly rather than typing it into your phone, or taking a picture of the URL. I've seen them at the local game stores for information on new and upcoming games. Some people might not have Internet access right then and there - me included. I bring an iPod touch everywhere, QR app ready. It's especially nice when you forget the name of the product the moment you walk out the door :)
  I guess they're handy for Android software installation, too. Buy stuff, get QR image, snap it with the device, APK link shows up. At least in theory it's simpler than plugging it into a computer and adding an extra upload step.
  Like other posters I've never seen a QR reader app which automatically navigates to a site.
12. Re:Just like with TinyURL... by slapout · 2011-12-30 18:05 · Score: 2
  
  I have a Firefox extension installed that will popup a qr code of the current url. I can then scan it with my phone to pull that website up on my phone.
  
  --
  Coder's Stone: The programming language quick ref for iPad
Does anyone have a QR code to a Rick Roll? by Nadaka · 2011-12-30 06:09 · Score: 4, Funny

Does anyone have a QR code to a Rick Roll?
1. Re:Does anyone have a QR code to a Rick Roll? by g0bshiTe · 2011-12-30 06:18 · Score: 5, Funny
  
  I do, but I'm never gonna give it up.
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
2. Re:Does anyone have a QR code to a Rick Roll? by Anonymous Coward · 2011-12-30 06:21 · Score: 2, Informative
  
  Google has an API to create one on the fly. Use this base URL and append any URL you want to the end and you've got a QR code.
  https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl=
  Just add a youtube link to the video and viola.
3. Re:Does anyone have a QR code to a Rick Roll? by Anonymous Coward · 2011-12-30 06:31 · Score: 2, Funny
  
  I just had a great idea for a prank on local billboard advertisements that have QR codes.
4. Re:Does anyone have a QR code to a Rick Roll? by smart_ass · 2011-12-30 06:42 · Score: 2
  
  Google Chrome has an extension to create QR Codes from any link on a page.
  With this I set one of my Avatars as a QR code that takes you to "Let me Google that for you" and then searches:
  Curiosity killed the cat
  Hehehe
  
  --
  Ouch ... did I just say that.
Some scan apps can show URL and ask first by DaphneDiane · 2011-12-30 06:10 · Score: 5, Informative

The QR scanner app that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.
1. Re:Some scan apps can show URL and ask first by blackraven14250 · 2011-12-30 06:16 · Score: 4, Insightful
  
  The one on Android marketplace (also the particular one that many apps are linked into) does show the link by default, but that still doesn't necessarily help the person using the scanner, who may be completely clueless that they're about to head into a random foreign domain.
2. Re:Some scan apps can show URL and ask first by Yvan256 · 2011-12-30 06:46 · Score: 3, Funny
  
  Sure, the morans will click the links but what about the morons?
3. Re:Some scan apps can show URL and ask first by Jarik+C-Bol · 2011-12-30 10:19 · Score: 2
  
  here's the thing, I scanned a QR from the back of a package of starbucks coffee beans today. the link? something like http://vjghhtv.com/qwertvmlghjg. took me to a special mobile version of starbucks site. If Legit QR codes are using garglemesh URL's, people are just going to click through, even with preview, because they always do.
  
  --
  I've decided to Diversify my Holdings. I've divided my cash between my left and right pockets, instead of all in one.
Just like evil hyperlinks by LikwidCirkel · 2011-12-30 06:11 · Score: 5, Interesting

This just in:
Clicking a hyperlink may result in being directed to a malicious site.

Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.
1. Re:Just like evil hyperlinks by gstrickler · 2011-12-30 06:29 · Score: 4, Interesting
  
  We should all sue BT, after all, they claim they invented the hyperlink, therefore, they should be liable for the damages of malicious hyperlinks. My theory is based upon the premise that the most effective way to fight abuse of the legal system is to use it against the abusers thereby costing them billions of dollars. Call it an "economic sanction".
  
  --
  make imaginary.friends COUNT=100 VISIBLE=false
Not a very new problem. by cmv1087 · 2011-12-30 06:12 · Score: 3, Informative

http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?
1. Re:Not a very new problem. by Victor_0x53h · 2011-12-30 06:16 · Score: 5, Informative
  
  Cheat by adding a + to the end (you got 13 people as of now :^)
2. Re:Not a very new problem. by Cobol+God · 2011-12-30 06:17 · Score: 5, Informative
  
  http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?
  https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/
  Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)
3. Re:Not a very new problem. by YrWrstNtmr · 2011-12-30 07:01 · Score: 4, Funny
  
  Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)
  
  We have this woman at work that does that. One day, I happened to be helping her with something. She was googling around, and the second link was www.foo.bar.cn. It was kinda what she was looking for, and before I could say 'No', she clicked it. It was blocked by the proxy.
  
  "Um...you probably don't want to go there."
  'Why not?'
  "It's some random site in China"
  'How do you know?'
  "ummm...the CN at the end = China"
  'Oh, I never pay attention to that'
  "Well, seeing as you're on a DoD computer and network, you might want to start paying attention to that stuff"
QR codes don't all have destinations by icebike · 2011-12-30 06:13 · Score: 5, Informative

You can do a lot with QR codes that have no destination at all, they are not restricted to web links.
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.
But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.
Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.

--
Sig Battery depleted. Reverting to safe mode.
1. Re:QR codes don't all have destinations by cras · 2011-12-30 06:47 · Score: 2
  
  But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect the content visually before acting on it. They ask if you want to proceed.
  Of course one could argue the click-thru generation does not know enough to evaluate the content, but then these are the same people that no amount of malware/antivirus software can protect.
  Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".
Re:Show the link first? by QuasiSteve · 2011-12-30 06:14 · Score: 2

Which doesn't help all that much if the URL itself is from some link shortening service (so you still don't know what it is) - and the URL shortened is... to another link shortening service (so the first URL shortening service's preview of the page is just that of the other service).
Of course at that point it's probably wise not to follow the link anyway.
Shock Value by DigitalGodBoy · 2011-12-30 06:21 · Score: 4, Funny

A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.

--
"liberty and justice for all those who can afford it"
http://en.wikipedia.org/wiki/QR_code by Anonymous Coward · 2011-12-30 06:24 · Score: 2, Interesting

Submitter EliSowash, editor Soulskill; please, when you folks put together summaries in the future...
...link things like QR code; don't expect us to know all abbreviations out there.
"Summary" means.. by Feyshtey · 2011-12-30 07:01 · Score: 2

If the summaries include descriptions of all possible acronyms or phrases included in the discussion, it's not really a summary is it?

http://lmgtfy.com/?q=QR+Code

--
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
Re:Well... by CapOblivious2010 · 2011-12-30 07:02 · Score: 2

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
Where's the OCR? by Doc+Ruby · 2011-12-30 07:10 · Score: 4, Insightful

I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.
And also the IDN homograph attack that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.
WYSIWYG URLs. An idea whose time has come.

--
--
make install -not war
1. Re:Where's the OCR? by benjamindees · 2011-12-30 07:53 · Score: 3, Informative
  
  The obvious answer is that QR codes are useful to scan something with crappy resolution, like a phone display, using something with crappy resolution, like a phone camera, and to process it in real-time using something with crappy computing power, like a phone cpu. The fact that it works at all is really kind of amazing.
  
  --
  "I assumed blithely that there were no elves out there in the darkness"
2. Re:Where's the OCR? by mdmkolbe · 2011-12-30 08:15 · Score: 2
  
  Yes! Please! So many QR codes are in-place-of rather than in-addition-to a human-readable URL. If I don't have my phone with me or don't want to bother digging it out of my pocket (or don't even have a QR-enabled phone), then the QR code is just obfuscation.
  Smart people will always include a human-readable URL next to the QR code, but given that most QR designers evidently aren't smart enough for that, I'll settle for a human-readable QR.
3. Re:Where's the OCR? by sco08y · 2011-12-30 09:58 · Score: 2
  
  I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead?
  Okay, a QR code can transmit up to a kilobyte of data, with error correction, even with blurring. But you can't read it.
  A typical MICR code is a roughly 10 digit account or routing number, and it's typical use case is it's printed on a check that has information indicating which way is up, and is scanned by a machine with a fixed lens.
  Even with an OCR font, any blurring makes features run together, so you have to get the focal length just right. The MICR fonts only handle numerals; many English glyphs are homographs, let alone accents or Kanji. People will, at minimum, hold the camera at an angle if not upside down, so you'd need additional decoration to indicate orientation. And you'd need a universal standard to indicate character set. And the camera is square, so you'd either want a very short URL, or make it into a block of text. And you'd want additional garbage characters or decoration to add some error correction or at least checksum.
  If you did all this, it would probably not look much like intelligible English, let alone most other languages. And a URL is not going to be very intelligible to begin with and would only hold a tiny amount of actual data.
4. Re:Where's the OCR? by Carnildo · 2011-12-30 10:02 · Score: 2
  
  QR codes have the benefits of a higher information density and significant error checking/correction ability. MICR has an error rate of 1 per 100,000 characters, which works out to about one error per thousand URLs scanned. QR codes have an error rate of essentially zero: the ECC information means that when a scan error occurs, it either gets corrected or reported.
  
  --
  "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Re:Well... by LordLimecat · 2011-12-30 07:31 · Score: 2

And given how many exploits are propgated by ads and server hacks of well trusted sites (facebook, drudge, etc, have all been sources of ad-viruses), it gives a false sense of security. Ive had many a user convinced that they could never get a virus because of the sites they visited; they got one, and browser history showed facebook, and I had to explain how virus distribution works to them.
Best way to set your users free from having to think about such things: uninstall Java JRE, uninstall Acrobat reader (and install Foxit), update flash, get them using Chrome. Their browser will autoupdate, and there wont be any plugin 0-days to exploit.
Re:Well... by NFN_NLN · 2011-12-30 07:45 · Score: 2

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
It isn't always a browser vulnerability being exploited. For instance, meatspin.com is perfectly safe to browse as it only corrupts your brain.
Re:Well... by ToasterMonkey · 2011-12-30 09:04 · Score: 4, Interesting

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.
Imagine being at the book store with your children, family, friends, etc. and thumbing though magazines to pass away the time. Now I know a streaker could AT ANY TIME run through the place and just wreck the friendly atmosphere, but he would be kicked out, and aside from that you wouldn't expect to randomly turn a magazine page to child porn, a rick roll, snuff film, man's stretched asshole, or other obscenity, unless you went to a place that sold those things.
Is it wrong to want little sanctuaries like that? I could go to another bookstore if I wanted, but I don't like sipping coffee with a book next to a rack of dildos. A little discretion, that's what people want. You can call it censorship or whatever if you want, but people want a little of that in public places, and that's what the Internet is.
I can appreciate the Internet for what it is, a weird private-public place, I do, but it's not being treated by most like the seedy underground cesspool it really is, and that bugs me. You SHOULD worry about clicking on a link - it was designed that way. It is analogous to the kind of physical places that make you want to take a bath after visiting. An AWESOME place for grey/black markets and all sorts of counter-culture memes. Places where you watch your back constantly, and most people rather not go.
Something IS fundamentally wrong with advocating it as a safe place for the public to do business and socialize. And we should stop laughing at people who get ripped off and abused by it. Nobody is "asking for" the kind of abuse you find on this network, and there is no safe alternative provided.
No more dangerous than URL shortening services by kobotronic · 2011-12-30 15:19 · Score: 2

Depending on how your phone scanner app is configured, QR code URL content may be shown on the screen as a link you can choose whether or not to open. But the links are often shortened so as to make for a smaller or less dense QR code box. And that puts this "risk" in the same category and amount as following any other bit.ly "mystery meat" link that resolves on the redirect service in a redirect to the real destination.
If your browser is built like shit and visiting a "maliciously constructed" webpage can cause code execution on your system, well that's still not a problem with the QR code technology.
QR is vulnerable to "spoofing" in the sense that for example a printed advert with a link on it to download an endorsed phone app - could with a cheaply produced sticker placed over the legitimate code become corrupted so the new code points to some other app. With Android's allowance for un-regulated third-party app installations, there is some concern there that this could lead to unwitting users downloading and installing a malicious app that masquerades as the endorsed, legitimate one.
The solution here could be to extend the established Android app signing system to have an "advisory" service that ranks the credibility of the individual app signing developers and publishers and as part of the app installation process can give you a heads-up hey wait a minute this app publisher has a strongly negative trust ranking maybe you shouldn't install it.
I want nothing like Apple's walled garden, but a voluntary model where you can get a "green seal" as a trustworthy app publisher and specifically trusted apps, might go a long way.