Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious QR Code Use On the Rise

Posted by Soulskill on from the time-to-incorporate-rorschach-verification-tech dept.

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

22 of 234 comments (clear)

  1. Just like with TinyURL... by dotancohen · · Score: 4, Interesting

    Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.

    --
    It is dangerous to be right when the government is wrong.
    1. Re:Just like with TinyURL... by SQLGuru · · Score: 5, Insightful

      I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.

      I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.

    2. Re:Just like with TinyURL... by bmo · · Score: 5, Informative

      >With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

      That is why God made preview.tinyurl.com

      --
      BMO

    3. Re:Just like with TinyURL... by jhoegl · · Score: 5, Funny

      I made no such thing mere mortal!

    4. Re:Just like with TinyURL... by GIL_Dude · · Score: 5, Interesting

      For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.

    5. Re:Just like with TinyURL... by Fez · · Score: 5, Informative

      Which is where LongURL comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.

  2. Does anyone have a QR code to a Rick Roll? by Nadaka · · Score: 4, Funny

    Does anyone have a QR code to a Rick Roll?

    1. Re:Does anyone have a QR code to a Rick Roll? by g0bshiTe · · Score: 5, Funny

      I do, but I'm never gonna give it up.

      --
      I am Bennett Haselton! I am Bennett Haselton!
  3. Some scan apps can show URL and ask first by DaphneDiane · · Score: 5, Informative

    The QR scanner app that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.

    1. Re:Some scan apps can show URL and ask first by blackraven14250 · · Score: 4, Insightful

      The one on Android marketplace (also the particular one that many apps are linked into) does show the link by default, but that still doesn't necessarily help the person using the scanner, who may be completely clueless that they're about to head into a random foreign domain.

    2. Re:Some scan apps can show URL and ask first by Yvan256 · · Score: 3, Funny

      Sure, the morans will click the links but what about the morons?

  4. Just like evil hyperlinks by LikwidCirkel · · Score: 5, Interesting

    This just in:
    Clicking a hyperlink may result in being directed to a malicious site.

    Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.

    1. Re:Just like evil hyperlinks by gstrickler · · Score: 4, Interesting

      We should all sue BT, after all, they claim they invented the hyperlink, therefore, they should be liable for the damages of malicious hyperlinks. My theory is based upon the premise that the most effective way to fight abuse of the legal system is to use it against the abusers thereby costing them billions of dollars. Call it an "economic sanction".

      --
      make imaginary.friends COUNT=100 VISIBLE=false
  5. Not a very new problem. by cmv1087 · · Score: 3, Informative

    http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?

    1. Re:Not a very new problem. by Victor_0x53h · · Score: 5, Informative

      Cheat by adding a + to the end (you got 13 people as of now :^)

    2. Re:Not a very new problem. by Cobol+God · · Score: 5, Informative

      http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?

      https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/

      Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

    3. Re:Not a very new problem. by YrWrstNtmr · · Score: 4, Funny

      Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

      We have this woman at work that does that. One day, I happened to be helping her with something. She was googling around, and the second link was www.foo.bar.cn. It was kinda what she was looking for, and before I could say 'No', she clicked it. It was blocked by the proxy.

      "Um...you probably don't want to go there."
      'Why not?'
      "It's some random site in China"
      'How do you know?'
      "ummm...the CN at the end = China"
      'Oh, I never pay attention to that'
      "Well, seeing as you're on a DoD computer and network, you might want to start paying attention to that stuff"

  6. QR codes don't all have destinations by icebike · · Score: 5, Informative

    You can do a lot with QR codes that have no destination at all, they are not restricted to web links.
    They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.

    But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
    the content visually before acting on it. They ask if you want to proceed.

    Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
    these are the same people that no amount of malware/antivirus software can protect. They do the same with
    links in email links.

    --
    Sig Battery depleted. Reverting to safe mode.
  7. Shock Value by DigitalGodBoy · · Score: 4, Funny

    A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.

    --
    "liberty and justice for all those who can afford it"
  8. Where's the OCR? by Doc+Ruby · · Score: 4, Insightful

    I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.

    And also the IDN homograph attack that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.

    WYSIWYG URLs. An idea whose time has come.

    --

    --
    make install -not war

    1. Re:Where's the OCR? by benjamindees · · Score: 3, Informative

      The obvious answer is that QR codes are useful to scan something with crappy resolution, like a phone display, using something with crappy resolution, like a phone camera, and to process it in real-time using something with crappy computing power, like a phone cpu. The fact that it works at all is really kind of amazing.

      --
      "I assumed blithely that there were no elves out there in the darkness"
  9. Re:Well... by ToasterMonkey · · Score: 4, Interesting

    Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.

    Imagine being at the book store with your children, family, friends, etc. and thumbing though magazines to pass away the time. Now I know a streaker could AT ANY TIME run through the place and just wreck the friendly atmosphere, but he would be kicked out, and aside from that you wouldn't expect to randomly turn a magazine page to child porn, a rick roll, snuff film, man's stretched asshole, or other obscenity, unless you went to a place that sold those things.

    Is it wrong to want little sanctuaries like that? I could go to another bookstore if I wanted, but I don't like sipping coffee with a book next to a rack of dildos. A little discretion, that's what people want. You can call it censorship or whatever if you want, but people want a little of that in public places, and that's what the Internet is.

    I can appreciate the Internet for what it is, a weird private-public place, I do, but it's not being treated by most like the seedy underground cesspool it really is, and that bugs me. You SHOULD worry about clicking on a link - it was designed that way. It is analogous to the kind of physical places that make you want to take a bath after visiting. An AWESOME place for grey/black markets and all sorts of counter-culture memes. Places where you watch your back constantly, and most people rather not go.

    Something IS fundamentally wrong with advocating it as a safe place for the public to do business and socialize. And we should stop laughing at people who get ripped off and abused by it. Nobody is "asking for" the kind of abuse you find on this network, and there is no safe alternative provided.