Slashdot Mirror
Malicious QR Code Use On the Rise
New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"
The QR scanner app that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.
This just in:
Clicking a hyperlink may result in being directed to a malicious site.
Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.
You can do a lot with QR codes that have no destination at all, they are not restricted to web links.
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.
But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.
Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.
Sig Battery depleted. Reverting to safe mode.
Cheat by adding a + to the end (you got 13 people as of now :^)
http://bit.ly/rCBPp7 You don't know where that link goes until you click it. So, what do you do?
https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/
Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)
I do, but I'm never gonna give it up.
I am Bennett Haselton! I am Bennett Haselton!
I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.
I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.
>With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.
That is why God made preview.tinyurl.com
--
BMO
I made no such thing mere mortal!
For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.
Which is where LongURL comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.