Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious QR Codes Posted Where There's Lots of Foot Traffic

Posted by Soulskill on from the neither-idiotproof-nor-jerkproof dept.

Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."

89 comments

  1. This could be really dangerous! by Anonymous Coward · · Score: 4, Insightful

    If anyone actually used QR Codes, which they don't, so no harm.

    1. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.

    2. Re:This could be really dangerous! by mikael · · Score: 1

      I've found it the quickest way to transfer a web address bookmark off my PC and onto my smartphone, without the ******** hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    3. Re:This could be really dangerous! by MrEricSir · · Score: 4, Funny

      This is why I'm sticking with my :CueCat.

      --
      There's no -1 for "I don't get it."
    4. Re:This could be really dangerous! by Ardyvee · · Score: 1

      But then you're probably the one generating it. Or should be :p

      --
      I don't care if I'm wrong. I only care about everyone obtaining something from the discussion.
    5. Re:This could be really dangerous! by Anonymous Coward · · Score: 1

      I used a QR code exactly once, when I realized it just went to a video ad, I realized they were just compact banner ads.

      Still, if that was a malicious QR code, my phone could have been compromised.

    6. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      There is no confirmation on Windows Phone as far as I can tell.

    7. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      That still sounds like a hassle. I myself use Chrome to Phone. Whenever I see something I want on my smart phone, I click a button on my browser and it appears on my phone.

    8. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Do you have a Droid?

      https://play.google.com/store/apps/details?id=com.sand.airdroid

      Set it up so you have a regular password you use and create a bookmark for the URL. Run the app on your phone, go to the bookmark on your computer, type in your password, put in the URL via the interface.

      Or, if you use Chrome, use the Chrome to Mobile extension.

    9. Re:This could be really dangerous! by idontgno · · Score: 4, Informative

      I can only speak for my specific case (Android, using Barcode Scanner app): the app displays the captured image, metadata about the capture, and a decode of the string (recognizing, for instance, that it's a URI QR). BUT does not just hie off to whatever website is indicated. The displayed URI string is clickable, and clicking it does open the URI in the default browser app, but it does take that much human intervention to navigate there.

      A few notable specifics to compare with other situations:

      (A) No OS-native QR code capability. It required an app from the Google App Store (free, but not Free). One of several, it appears.

      (B) There is a configurable option "Retrieve more info" which, when enabled, looks up information about URI/URL QR codes as part of the decode. For instance, after ingesting the sample QR code from the Wikipedia "QR Code" article, the app correctly decodes the URI as "http://en.m.wikipedia.org", but with the "Retrieve more info" option enabled, it adds the descriptor "Wikipedia, the free encyclopedia"... which is the <Title> property at the top of that page, so I guess the app is retrieving the target URL internally and decoding the <Title> at least. Maybe that would be a buffer overflow vector for a well-crafted exploit, so I turn that option off.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    10. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      What a Tandy thing to do!

    11. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Email it, click email on phone.

    12. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Or you could use Google Chrome with sync, which instantly makes your bookmark available on all your Chrome instances, no matter where they run.

    13. Re:This could be really dangerous! by Anonymous Coward · · Score: 1

      There is no confirmation on Windows Phone as far as I can tell.

      At least on WP7 using the Bing Vision functionality (built into WP7.5). When you scan a QR code it lists the data in the QR code. You then have to tap on the displayed link to open the browser. If it is not a link, then it just displays the data.

    14. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Yeah, or if you're using a Mac and iPhone, iMessage it to yourself. It goes to all you devices, then disappears once you click in on one.

    15. Re:This could be really dangerous! by BoogeyOfTheMan · · Score: 1

      Opera Mobile (NOT Opera Mini) also allows you to do this. You can have it sync your bookmarks and saved passwords between devices that you have Opera installed on. Its helpful if you use multiple computers and/or devices. Works with Android, Linux, and Windows. Probably OSX and iOS too, but I dont use those.

    16. Re:This could be really dangerous! by Shoten · · Score: 1

      Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.

      Even if there were...most people wouldn't pay enough attention to notice that they were about to navigate to "www.MakeMyAndroidYourButtmonkey.cn" while they were on their way through the mall to get a Cinnabon. You can see what web address you're about to go to in an email link if you just hover over it, in most email clients (web or not), yet still many people fall for phishing schemes. And that's when you're sitting down at a computer, not walking around in the middle of other things and surrounded by distractions.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    17. Re:This could be really dangerous! by CanadianRealist · · Score: 3, Interesting

      The problem here is you are being reasonable and thinking logically about what you're doing. I'm sure you've noticed how much the average person hates having to think. Compare your comment with the average YouTube comment and see if you don't notice a difference.

      Now, try behaving like the average person for a bit: point at the QR code and then click whatever link pops up. Come on, you've already done more than enough thinking: putting the app on your phone, loading the app and pressing a button while aiming at the QR code. Now you want to have to think some more, think about where that link is going to take you?

      I bet the problem makes much more sense now.

    18. Re:This could be really dangerous! by Eythian · · Score: 3, Informative

      The source code for the Barcode Scanner app can be found here: http://code.google.com/p/zxing/source/browse/trunk

      It is free as in Free, Apache 2.0 license.

    19. Re:This could be really dangerous! by History's+Coming+To · · Score: 2

      There will always be ways around it - imagine a QR which links to a shortened URL (say http://du.rr/7en3if8), which is a link to http://www.myhackedblog.com/1/2/3/4/5/a/b/c/redirect.htm which links to http://www.cnn.com.news.hackeddomain.com/reallyfunnypicture.com

      You think anybody is going to be able to check there isn't a malicious script at the end of that? The vast, vast majority of people won't even be able to check the trail beforehand, they either have to click or not click, and it's A FUNNY PICTURE!

      Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services. Back in the day a redirect or script call to an external URL was seen as being dodgy, now it's de rigeur because of the advertising industry. Now we're going back full circle.

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    20. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      If there's really a site that can 'make your android someone's butt monkey' just by viewing it in a web browser, then the problem doesn't lie in how people might arrive at such a site ...

    21. Re:This could be really dangerous! by chronokitsune3233 · · Score: 2

      This is my method. Chrome opens up on my mobile, and I open a new tab. Go to "Bookmarks > Desktop Bookmarks" et voilà! Easy peasy! Even better is the ability to open a page that you had been viewing on your phone/tablet in the desktop version of Chrome. I prefer to read with less scrolling and zooming, but that's just a personal preference, I suppose.

      --
      I have been a captive in America my entire life. Everybody and everything uses customary units instead of metric.
    22. Re:This could be really dangerous! by amRadioHed · · Score: 1

      Not entirely true anymore. About a week ago Google update Google Search so that Google Now has a visual search that reads barcodes now.

      --
      We hope your rules and wisdom choke you / Now we are one in everlasting peace
    23. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      http://picturesofpeoplescanningqrcodes.tumblr.com/

      Site's coming up on a year old now.

    24. Re:This could be really dangerous! by TheLink · · Score: 2

      Include/embed a funny picture/video in addition to the malware payload and people will even spread the link for you.

      --
    25. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services.

      There is no protocol which can reliably detect and/or prevent a web page from giving you a local resource which is in reality just a placeholder for information retrieved from a remote source.

      "Back in the day" redirects were seen as dodgy partially because bandwidth was limited, and partially because there were a lot of browser vulnerabilities which you could take advantage of using redirects. The root of the problem is the browser being a piece of shit, it shouldn't matter what kind of site you navigate to there's no excuse for the browser being a security risk. We keep cobbling more features onto the browsers which is what really drives the problem, adding support for non-standard technologies, etc. just makes it worse.

    26. Re:This could be really dangerous! by idontgno · · Score: 1

      Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    27. Re:This could be really dangerous! by coolmadsi · · Score: 1

      Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

      I think I got the Barcode Scanner from F-Droid (Open Source android app repository); I usually check there before the Play store for utility apps like that.

    28. Re:This could be really dangerous! by mcgrew · · Score: 1

      hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

      Why not use Bluetooth? A bluetooth dongle for your PC costs $20 at WalMart, and if a smart phone didn't have it I wouldn't buy the phone -- hell, I've had dumb phones with Bluetooth.

      But since you are using USB, why does it need to be disabled at all? USB is a cord, not a radio signal. If someone can hack your phone with USB they already have it in their posession, and USB being disabled will be no barrier.

      --
      Free Martian Whores!
    29. Re:This could be really dangerous! by houghi · · Score: 1

      Sure you can see where it goes, but that does not mean much.
      http://s.houghi.org/temp/dbme4p.png
      Scan it and it will point to http://s.houghi.org/dbme4p
      That is a 302 forwarder to http://localhost/
      http://s.houghi.org/dbme4p.png will give all the info

      Now imagine that something like this is hanging on highstreet and it is some other (selfmade) forwarder. Even though people are aware that ads are lies, they do somewhat trust that an add for Coca-Cola is placed there by Coca-Cola and the company is responsible for the content.

      --
      Don't fight for your country, if your country does not fight for you.
    30. Re:This could be really dangerous! by Hognoxious · · Score: 1

      F A C E T I O U S spells facetious. Can you use the word facetious in a sentence?

      Although it's equally possible he has a Nokia. What he describes would be a vast improvement over their Ovi suite.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    31. Re:This could be really dangerous! by mcgrew · · Score: 1

      Still, if that was a malicious QR code, my phone could have been compromised.

      More likely (and more easily) your Windows PC when you transferred the files to it. Smartphones are a fractured market, while Windows PCs are a monoculture. Plus, Windows PCs are a lot less secure than any phone. Considering how locked down phones are, they mey even be safer than Macs and Linux.

      --
      Free Martian Whores!
    32. Re:This could be really dangerous! by Anonymous Coward · · Score: 0

      can't just email?

  2. I don't use QR codes by dmomo · · Score: 3, Funny

    No way. Rick Astley? Goatse? Not worth the risk.

    1. Re:I don't use QR codes by emurphy42 · · Score: 3

      I love how those two things are like equally heinous in your book. :)

      I scan 'em once in a blue moon, but my phone app shows you the URL and asks confirmation, so at least there's that.

    2. Re:I don't use QR codes by Anonymous Coward · · Score: 0

      Ditto here. If the QR code embeds a bit.ly or other short URL, then I ignore it at that point. URL redirectors and anathema to using QR codes...

    3. Re:I don't use QR codes by Inda · · Score: 1

      Which phone app man?!?! We need to know! :)

      If we're on Android, and the Google tin foil hat is a nice fit, Google Googles does a good job at reading QR Codes. It too displays all the information before you get a chance to click. It's even picked out QR Codes from teh background of portrait photos, and when I first saw that, it was one of those 'neat' moments.

      People are talking about encoded URLs on this thread, but I've had a bit of fun encoding large amounts of text in a QR Code, which was then printed inside a birthday card. If the readers were more widely used, I'd have a QR code on one of my seven screens, and it would hold vCard data.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    4. Re:I don't use QR codes by Hognoxious · · Score: 1

      One is anous and the other is heinal.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    5. Re:I don't use QR codes by emurphy42 · · Score: 1

      https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en

  3. Wow... by Anonymous Coward · · Score: 0

    No. Shit. Sherlock.

  4. whodathunkit? by Anonymous Coward · · Score: 0

    I would have never guessed this would happen....

  5. Does anyone use QR codes? by Darkness404 · · Score: 1

    Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes and those were for store promotions where if you were in their store you could scan a QR code and get a virtual "scratchers" ticket which would tell you if you won a prize or not.

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Does anyone use QR codes? by medv4380 · · Score: 1

      Would malware makers even bother with the stickers if people didn't use them?

    2. Re:Does anyone use QR codes? by Anonymous Coward · · Score: 0

      Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes...

      Well you do...

    3. Re:Does anyone use QR codes? by Darkness404 · · Score: 1

      But the ones I use are promotional ones meaning that the malware wouldn't work, it would just say "scan again" or something.

      --
      Taxation is legalized theft, no more, no less.
    4. Re:Does anyone use QR codes? by davebarnes · · Score: 2

      Yes,
      They are very useful on real estate For Sale signs.

      --
      Dave Barnes 9 breweries within walking distance of my house
    5. Re:Does anyone use QR codes? by norpy · · Score: 1

      You should stop reading slashdot, it's not for you.

      How the fuck do you think the qr code redirected you to the "scratcher" ticket?

    6. Re:Does anyone use QR codes? by aaarrrgggh · · Score: 1

      More useful than opening Zillow or RedFin, getting a GPS fix, and immediately having all the MLS data?! Not quite sure how, but to each his own.

    7. Re:Does anyone use QR codes? by plover · · Score: 1

      I'd hazard a guess that it's far more common that average potential buyers scan the QR codes instead of loading up those apps.

      Of course, now I have a good idea where to place my QR stickers...

      --
      John
    8. Re:Does anyone use QR codes? by drkim · · Score: 1

      Would malware makers even bother with the stickers if people didn't use them?

      That's like asking if people are dumb enough to think they will make millions cashing checks for some lawyer in Nigeria.

      Ha, ha, ha, ha, ha, ha, ha, ha.

  6. Yes, and my /. id is smaller than yours by Anonymous Coward · · Score: 0

    I use them, but I won't anymore. Now I will need to disable them in Google Glasses or something.

    1. Re:Yes, and my /. id is smaller than yours by SuperKendall · · Score: 4, Funny

      Now I will need to disable them in Google Glasses or something.

      The Glasses! They do something!

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
  7. I don't scan with my feet by aNonnyMouseCowered · · Score: 1

    I know it's about pedestrian, rather than vehicular, traffic. But for an instant I thought some genius had thought of an exploit for high-tech shoes that had QR code scanners in their soles that linked to their smartphones.

    Now that would be a plot for a near future sci-fi novel. A sort of Apple maps-like fiasco that would send hapless pedestrians falling off bridges or onto the freeway.

  8. Re:Please to be visiting my web internet site page by Anonymous Coward · · Score: 0

    What the actual fvck?

  9. Norton Snap QR code reader by doug141 · · Score: 3, Informative

    It'll check out the site before connecting you, and is one of the few free code readers that doesn't require location permissions.

    1. Re:Norton Snap QR code reader by Anonymous Coward · · Score: 0

      not sure why you'd ever use a qr code reader other than the zebra crossing one. open source and handles everything.

    2. Re:Norton Snap QR code reader by Anonymous Coward · · Score: 0

      Seconding the "Barcode Reader" app:

      https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en

      Screw Norton and their shitty softwares.

  10. Obfuscated URLs by agiacalone · · Score: 5, Interesting

    Any time you obfuscate the underlying address in a URL you pose a security risk.

    QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.

    1. Re:Obfuscated URLs by Anonymous Coward · · Score: 0

      If you can reliably identify malicious websites by looking at the URL, you're exceptionally smart. If in turn you would trust a shortened URL or QR code more than a normal-looking address, the inverse is true.

    2. Re:Obfuscated URLs by Dishevel · · Score: 1

      Each reader I have used show the URL.
      If it shows a bit.ly or some other URL shortened crap or even something I do not recognize I skip it.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    3. Re:Obfuscated URLs by Anonymous Coward · · Score: 0

      If you can reliably identify malicious websites by looking at the URL, you're exceptionally smart. If in turn you would trust a shortened URL or QR code more than a normal-looking address, the inverse is true.

      Smart is exceptionally you? Sounds soviet Russian, no offence.

    4. Re:Obfuscated URLs by Anonymous Coward · · Score: 0

      Why do we have a situation where loading a malicious URL can get you pwned in the first place? Choosing to load and display a webpage should not be an act of trust that the server isn't going to hijack your browser.

    5. Re:Obfuscated URLs by sunderland56 · · Score: 1

      Actually, URL shortening services are worse - the malware could be inserted by the shortening service itself. Two points of attack, instead of just one.

      It constantly amuses me how many newspapers have articles and editorials saying how evil the Libyan government is - and then they use the bit.ly service to link to other material.

    6. Re:Obfuscated URLs by tlhIngan · · Score: 2

      QR codes can contain more than just a URL.

      They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.

      Just do it with something like "call this number to get free minutes" or something...

    7. Re:Obfuscated URLs by Anonymous Coward · · Score: 0

      Just wait til this stuff creeps into the Street View image files.
      Your car will be looking for information and getting misled, and glancing at the wrong thing will take over your eyeglasses.

  11. Malicious QR codes are nothing by BeerAndLoathing · · Score: 2

    I'm far more afraid of vicious gangs of Keep Left signs

  12. QR Codes? by Anonymous Coward · · Score: 0

    I won't click a link without being able to see where it goes. No shortened urls, and definitely no QR codes.

    1. Re:QR Codes? by Anonymous Coward · · Score: 0

      Presumably, you don't browse the web, then? Or do you have javascript permanently disabled?

  13. Too bad Slashdot doesn't do Unicode by Anonymous Coward · · Score: 0

    Otherwise I'd try to create a QR code in a post, using box-drawing characters, pointing to mal.icio.us.

  14. Haven't We Known This For Centuries? by IonOtter · · Score: 2

    If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.

    Why should sticking a QR code into your phone be any different?

    --
    [End Of Line]
    1. Re:Haven't We Known This For Centuries? by leehwtsohg · · Score: 1

      Why should sticking a QR code into your phone be any different?

      less fun?

    2. Re:Haven't We Known This For Centuries? by Anonymous Coward · · Score: 0

      Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance? Browsers are supposed to display information, not run malware.

    3. Re:Haven't We Known This For Centuries? by drkim · · Score: 1

      Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance?

      ...uh, because browsers are designed by lonely programmers, instead of bomb squad techs.

    4. Re:Haven't We Known This For Centuries? by RivenAleem · · Score: 1

      I sometimes do 3, even 4 QR codes in a day, what does that make me?

  15. I've always thought QR codes were dumb. by sootman · · Score: 2

    At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.

    This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:I've always thought QR codes were dumb. by sunderland56 · · Score: 1

      and 4) if you can't scan the QR code when you see it, you have a reasonable chance of remembering a decent URL; you have zero chance of remembering a QR code.

    2. Re:I've always thought QR codes were dumb. by Anonymous Coward · · Score: 1

      Microsoft version of QR codes uses colorful triangles and is effective in the wow-factor. I see used in a local daily newspaper for a lol-cat-type column where they don't want the URL known by us unwashed masses.

      Two reasons they are worse than QR codes:
      + Tracking. I am surprised not to have seen anybody mention this, so my guess is that standard QR codes are indeed deterministic and just decode some set graphic to text / url to process according to some type sentinel. The problem here is MS houses a central server and ALL transactions go through them... GPS location + ad impression data must cost a pretty penny.

      + Deceit - disguised as convenience - they can change or invalidate the URL easily without changing the original code just going into the Database. Probably better than having to redirect you from the original page because ad managers do not always have domain control over the target URL... until Microsoft came along and decided to insert itself in the market early.

    3. Re:I've always thought QR codes were dumb. by bitingduck · · Score: 1

      QR codes do just encode straight data, text, or a link, but many of the sites that will generate them for free for you actually generate a link to their own site and forward to your site, so they can be doing the same kind of tracking. The best way to do them is to print the link (or at least the domain) in readable text along with the QR, so that you can at least check that they resolve the same way. There's plenty of free software that will generate good QR codes without the deceit, but most people who want to use them probably can't easily download and run code, and may not even realize that the code they downloaded from a site goes through a redirect.

  16. Your pencil's smaller - you don't get it by Anonymous Coward · · Score: 0

    The Glasses! They do something! by SuperKendall (25149) on Tuesday December 11, @06:34PM (#42255299)

    Brain jammin' viruses by strobes man! You noobs'll see (literally).

  17. Suprised by manu0601 · · Score: 1

    Well, I am surprised it took so long to appear. The attack is easy and the gains are obvious.

    1. Re:Suprised by wvmarle · · Score: 1

      It's also a lot of work compared to other attack vectors.

      After finding the obvious exploit and crafting your site (for whatever attack you plan), sending out lots of spam or placing compromised ads will allow you to reach millions of potential victims in a very short time, with limited effort.

      Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

    2. Re:Suprised by bitingduck · · Score: 1

      It's also a lot of work compared to other attack vectors.

      ...

      Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

      And you have to pay actual money for those stickers or fliers that you're sticking to things, and maybe even have to pay someone to do it. More traditional all digital vectors probably give you a lot more bang for the buck.

  18. The gift that keeps on giving by maroberts · · Score: 1

    When you put links to Tubgirl and Goetse on top of realtors(estate agents) QR codes

    --

    Donte Alistair Anderson Roberts - hi son!
    Karma: Chameleon

  19. Subversion time. by SuricouRaven · · Score: 1

    1. Find film posters.
    2. Apply QR code pointing to a pirate source for that film.
    3. No profit. That's the idea.

  20. I predict... BlipQRs! by drkim · · Score: 1

    I predict the next QR code attack will be:
    Malware QR codes blinked on TV screens, or web pages, just long enough to drive exposed phones and devices to hostile sites.

    Sorta like digital subliminals.

  21. [hackeddomain.com] by alostpacket · · Score: 1

    I think it's interesting that slashdot got it. Maybe there is no pure security out there, but clearly there are preventative steps that could help.

    --
    PocketPermissions Android Permission Guide
  22. I'll risk person has same. by Impy+the+Impiuos+Imp · · Score: 1

    Follow the money. Sooner or later someone has to take money out of the ultimate destination account.

    Then, testicleectomy is warranted.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  23. I did it ... by Anonymous Coward · · Score: 0

    I did it but instead people are taken to an image of a goatse.