Malicious QR Codes Posted Where There's Lots of Foot Traffic

Orome1 writes "QR codes are very handy for directing users to specific sites by simply scanning them with their smartphones. But the ease with which this technology works has also made it a favorite of malware peddlers and online crooks, who have taken to including QR codes that lead to malicious sites in spam emails. They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic. According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them."

This could be really dangerous!

If anyone actually used QR Codes, which they don't, so no harm.

Re:This could be really dangerous!

[mikael]

I've found it the quickest way to transfer a web address bookmark off my PC and onto my smartphone, without the ******** hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

Re:This could be really dangerous!

[MrEricSir]

This is why I'm sticking with my :CueCat.

Re:This could be really dangerous!

[Ardyvee]

But then you're probably the one generating it. Or should be :p

Re:This could be really dangerous!

I used a QR code exactly once, when I realized it just went to a video ad, I realized they were just compact banner ads.

Still, if that was a malicious QR code, my phone could have been compromised.

Re:This could be really dangerous!

[idontgno]

I can only speak for my specific case (Android, using Barcode Scanner app): the app displays the captured image, metadata about the capture, and a decode of the string (recognizing, for instance, that it's a URI QR). BUT does not just hie off to whatever website is indicated. The displayed URI string is clickable, and clicking it does open the URI in the default browser app, but it does take that much human intervention to navigate there.

A few notable specifics to compare with other situations:

(A) No OS-native QR code capability. It required an app from the Google App Store (free, but not Free). One of several, it appears.

(B) There is a configurable option "Retrieve more info" which, when enabled, looks up information about URI/URL QR codes as part of the decode. For instance, after ingesting the sample QR code from the Wikipedia "QR Code" article, the app correctly decodes the URI as "http://en.m.wikipedia.org", but with the "Retrieve more info" option enabled, it adds the descriptor "Wikipedia, the free encyclopedia"... which is the <Title> property at the top of that page, so I guess the app is retrieving the target URL internally and decoding the <Title> at least. Maybe that would be a buffer overflow vector for a well-crafted exploit, so I turn that option off.

Re:This could be really dangerous!

There is no confirmation on Windows Phone as far as I can tell.

At least on WP7 using the Bing Vision functionality (built into WP7.5). When you scan a QR code it lists the data in the QR code. You then have to tap on the displayed link to open the browser. If it is not a link, then it just displays the data.

Re:This could be really dangerous!

[BoogeyOfTheMan]

Opera Mobile (NOT Opera Mini) also allows you to do this. You can have it sync your bookmarks and saved passwords between devices that you have Opera installed on. Its helpful if you use multiple computers and/or devices. Works with Android, Linux, and Windows. Probably OSX and iOS too, but I dont use those.

Re:This could be really dangerous!

[Shoten]

Since I'm in that same boat, isn't there some "navigate to site xyz" confirmation? Or does the phone stupidly start running some executable code? Because that would be a really dumb implementation error.

Even if there were...most people wouldn't pay enough attention to notice that they were about to navigate to "www.MakeMyAndroidYourButtmonkey.cn" while they were on their way through the mall to get a Cinnabon. You can see what web address you're about to go to in an email link if you just hover over it, in most email clients (web or not), yet still many people fall for phishing schemes. And that's when you're sitting down at a computer, not walking around in the middle of other things and surrounded by distractions.

Re:This could be really dangerous!

[CanadianRealist]

The problem here is you are being reasonable and thinking logically about what you're doing. I'm sure you've noticed how much the average person hates having to think. Compare your comment with the average YouTube comment and see if you don't notice a difference.

Now, try behaving like the average person for a bit: point at the QR code and then click whatever link pops up. Come on, you've already done more than enough thinking: putting the app on your phone, loading the app and pressing a button while aiming at the QR code. Now you want to have to think some more, think about where that link is going to take you?

I bet the problem makes much more sense now.

Re:This could be really dangerous!

[Eythian]

The source code for the Barcode Scanner app can be found here: http://code.google.com/p/zxing/source/browse/trunk

It is free as in Free, Apache 2.0 license.

Re:This could be really dangerous!

[History's+Coming+To]

There will always be ways around it - imagine a QR which links to a shortened URL (say http://du.rr/7en3if8), which is a link to http://www.myhackedblog.com/1/2/3/4/5/a/b/c/redirect.htm which links to http://www.cnn.com.news.hackeddomain.com/reallyfunnypicture.com

You think anybody is going to be able to check there isn't a malicious script at the end of that? The vast, vast majority of people won't even be able to check the trail beforehand, they either have to click or not click, and it's A FUNNY PICTURE!

Which is why we need a very clear THIS IS THE END POINT protocol, no shortened URLs, no redirect services. Back in the day a redirect or script call to an external URL was seen as being dodgy, now it's de rigeur because of the advertising industry. Now we're going back full circle.

Re:This could be really dangerous!

[chronokitsune3233]

This is my method. Chrome opens up on my mobile, and I open a new tab. Go to "Bookmarks > Desktop Bookmarks" et voilà! Easy peasy! Even better is the ability to open a page that you had been viewing on your phone/tablet in the desktop version of Chrome. I prefer to read with less scrolling and zooming, but that's just a personal preference, I suppose.

Re:This could be really dangerous!

[amRadioHed]

Not entirely true anymore. About a week ago Google update Google Search so that Google Now has a visual search that reads barcodes now.

Re:This could be really dangerous!

[TheLink]

Include/embed a funny picture/video in addition to the malware payload and people will even spread the link for you.

Re:This could be really dangerous!

[idontgno]

Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

Re:This could be really dangerous!

[coolmadsi]

Thanks for pointing that out. I'm glad I was mistaken about Barcode Scanner's Freeness. Another reason I lucked out picking this app out of the crowd.

I think I got the Barcode Scanner from F-Droid (Open Source android app repository); I usually check there before the Play store for utility apps like that.

Re:This could be really dangerous!

[mcgrew]

hassle of going through about ten different menus, exiting application, entering system menu, enabling USB, confirming that I want to enable USB, confirming that I accept my applications being affected by not being able to write to the SD CARD, pulling out and pushing in the USB charger cable again, confirming that I am ready, then disabling USB.

Why not use Bluetooth? A bluetooth dongle for your PC costs $20 at WalMart, and if a smart phone didn't have it I wouldn't buy the phone -- hell, I've had dumb phones with Bluetooth.

But since you are using USB, why does it need to be disabled at all? USB is a cord, not a radio signal. If someone can hack your phone with USB they already have it in their posession, and USB being disabled will be no barrier.

Re:This could be really dangerous!

[houghi]

Sure you can see where it goes, but that does not mean much.
http://s.houghi.org/temp/dbme4p.png
Scan it and it will point to http://s.houghi.org/dbme4p
That is a 302 forwarder to http://localhost/
http://s.houghi.org/dbme4p.png will give all the info

Now imagine that something like this is hanging on highstreet and it is some other (selfmade) forwarder. Even though people are aware that ads are lies, they do somewhat trust that an add for Coca-Cola is placed there by Coca-Cola and the company is responsible for the content.

Re:This could be really dangerous!

[Hognoxious]

F A C E T I O U S spells facetious. Can you use the word facetious in a sentence?

Although it's equally possible he has a Nokia. What he describes would be a vast improvement over their Ovi suite.

Re:This could be really dangerous!

[mcgrew]

Still, if that was a malicious QR code, my phone could have been compromised.

More likely (and more easily) your Windows PC when you transferred the files to it. Smartphones are a fractured market, while Windows PCs are a monoculture. Plus, Windows PCs are a lot less secure than any phone. Considering how locked down phones are, they mey even be safer than Macs and Linux.

I don't use QR codes

[dmomo]

No way. Rick Astley? Goatse? Not worth the risk.

Re:I don't use QR codes

[emurphy42]

I love how those two things are like equally heinous in your book. :)

I scan 'em once in a blue moon, but my phone app shows you the URL and asks confirmation, so at least there's that.

Re:I don't use QR codes

[Inda]

Which phone app man?!?! We need to know! :)

If we're on Android, and the Google tin foil hat is a nice fit, Google Googles does a good job at reading QR Codes. It too displays all the information before you get a chance to click. It's even picked out QR Codes from teh background of portrait photos, and when I first saw that, it was one of those 'neat' moments.

People are talking about encoded URLs on this thread, but I've had a bit of fun encoding large amounts of text in a QR Code, which was then printed inside a birthday card. If the readers were more widely used, I'd have a QR code on one of my seven screens, and it would hold vCard data.

Re:I don't use QR codes

[Hognoxious]

One is anous and the other is heinal.

Re:I don't use QR codes

[emurphy42]

https://play.google.com/store/apps/details?id=com.google.zxing.client.android&hl=en

Does anyone use QR codes?

[Darkness404]

Does anyone actually use QR codes to go to websites? I've only used a handful of QR codes and those were for store promotions where if you were in their store you could scan a QR code and get a virtual "scratchers" ticket which would tell you if you won a prize or not.

Re:Does anyone use QR codes?

[medv4380]

Would malware makers even bother with the stickers if people didn't use them?

Re:Does anyone use QR codes?

[Darkness404]

But the ones I use are promotional ones meaning that the malware wouldn't work, it would just say "scan again" or something.

Re:Does anyone use QR codes?

[davebarnes]

Yes,
They are very useful on real estate For Sale signs.

Re:Does anyone use QR codes?

[norpy]

You should stop reading slashdot, it's not for you.

How the fuck do you think the qr code redirected you to the "scratcher" ticket?

Re:Does anyone use QR codes?

[aaarrrgggh]

More useful than opening Zillow or RedFin, getting a GPS fix, and immediately having all the MLS data?! Not quite sure how, but to each his own.

Re:Does anyone use QR codes?

[plover]

I'd hazard a guess that it's far more common that average potential buyers scan the QR codes instead of loading up those apps.

Of course, now I have a good idea where to place my QR stickers...

Re:Does anyone use QR codes?

[drkim]

Would malware makers even bother with the stickers if people didn't use them?

That's like asking if people are dumb enough to think they will make millions cashing checks for some lawyer in Nigeria.

Ha, ha, ha, ha, ha, ha, ha, ha.

I don't scan with my feet

[aNonnyMouseCowered]

I know it's about pedestrian, rather than vehicular, traffic. But for an instant I thought some genius had thought of an exploit for high-tech shoes that had QR code scanners in their soles that linked to their smartphones.

Now that would be a plot for a near future sci-fi novel. A sort of Apple maps-like fiasco that would send hapless pedestrians falling off bridges or onto the freeway.

Re:Yes, and my /. id is smaller than yours

[SuperKendall]

Now I will need to disable them in Google Glasses or something.

The Glasses! They do something!

Norton Snap QR code reader

[doug141]

It'll check out the site before connecting you, and is one of the few free code readers that doesn't require location permissions.

Obfuscated URLs

[agiacalone]

Any time you obfuscate the underlying address in a URL you pose a security risk.

QR codes are no different than shortened URL services like blt.ly or goo.gl. All of these have the potential to take users to malicious websites because they can't be easily identified to the human reader.

Re:Obfuscated URLs

[Dishevel]

Each reader I have used show the URL.
If it shows a bit.ly or some other URL shortened crap or even something I do not recognize I skip it.

Re:Obfuscated URLs

[sunderland56]

Actually, URL shortening services are worse - the malware could be inserted by the shortening service itself. Two points of attack, instead of just one.

It constantly amuses me how many newspapers have articles and editorials saying how evil the Libyan government is - and then they use the bit.ly service to link to other material.

Re:Obfuscated URLs

[tlhIngan]

QR codes can contain more than just a URL.

They can contain a phone number, for example. Like when that Samsung bug was exposed where you dial a specific number and it factory-resets your phone. Scan the QR core, tap "go" and boom, phone's reset and you've lost all your data, games, contacts, etc.

Just do it with something like "call this number to get free minutes" or something...

Malicious QR codes are nothing

[BeerAndLoathing]

I'm far more afraid of vicious gangs of Keep Left signs

Haven't We Known This For Centuries?

[IonOtter]

If you insert your reproductive organs into an unverified orifice, or allow unverified reproductive organs or objects into your orifice, you run the risk of catching an infection.

Why should sticking a QR code into your phone be any different?

Re:Haven't We Known This For Centuries?

[leehwtsohg]

Why should sticking a QR code into your phone be any different?

less fun?

Re:Haven't We Known This For Centuries?

[drkim]

Why do we have browsers that treat a URL as an orifice into which to insert your reproductive organs, rather than an orifice to be examined with a flashlight from a safe distance?

...uh, because browsers are designed by lonely programmers, instead of bomb squad techs.

Re:Haven't We Known This For Centuries?

[RivenAleem]

I sometimes do 3, even 4 QR codes in a day, what does that make me?

I've always thought QR codes were dumb.

[sootman]

At least in the realm of getting a small bit of info from a printed surface into a modern (i.e., powerful) mobile device. Why not just have some human-readable text in a nice machine-readable font inside a distinctly-shaped box? Mobile devices can easily read lots of kinds of text, but a) this one has high reliability and b) the font itself conveys the purpose. For a shape, the existing QR box -- a square with three smaller squares -- would work, or it could be something new.

This would solve THREE problems: 1) much less chance of malicious URLs, 2) you wouldn't need to scan it with a machine to see if you even want it in the first place, and 3) they'd be much easier to generate.

Re:I've always thought QR codes were dumb.

[sunderland56]

and 4) if you can't scan the QR code when you see it, you have a reasonable chance of remembering a decent URL; you have zero chance of remembering a QR code.

Re:I've always thought QR codes were dumb.

Microsoft version of QR codes uses colorful triangles and is effective in the wow-factor. I see used in a local daily newspaper for a lol-cat-type column where they don't want the URL known by us unwashed masses.

Two reasons they are worse than QR codes:
+ Tracking. I am surprised not to have seen anybody mention this, so my guess is that standard QR codes are indeed deterministic and just decode some set graphic to text / url to process according to some type sentinel. The problem here is MS houses a central server and ALL transactions go through them... GPS location + ad impression data must cost a pretty penny.

+ Deceit - disguised as convenience - they can change or invalidate the URL easily without changing the original code just going into the Database. Probably better than having to redirect you from the original page because ad managers do not always have domain control over the target URL... until Microsoft came along and decided to insert itself in the market early.

Re:I've always thought QR codes were dumb.

[bitingduck]

QR codes do just encode straight data, text, or a link, but many of the sites that will generate them for free for you actually generate a link to their own site and forward to your site, so they can be doing the same kind of tracking. The best way to do them is to print the link (or at least the domain) in readable text along with the QR, so that you can at least check that they resolve the same way. There's plenty of free software that will generate good QR codes without the deceit, but most people who want to use them probably can't easily download and run code, and may not even realize that the code they downloaded from a site goes through a redirect.

Suprised

[manu0601]

Well, I am surprised it took so long to appear. The attack is easy and the gains are obvious.

Re:Suprised

[wvmarle]

It's also a lot of work compared to other attack vectors.

After finding the obvious exploit and crafting your site (for whatever attack you plan), sending out lots of spam or placing compromised ads will allow you to reach millions of potential victims in a very short time, with limited effort.

Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

Re:Suprised

[bitingduck]

It's also a lot of work compared to other attack vectors.

...

Those QR codes mean you have to go out, find suitable places to physically stick them to, and then hope someone will actually scan them. Sounds like a lot more work, with far less results, than the more traditional routes.

And you have to pay actual money for those stickers or fliers that you're sticking to things, and maybe even have to pay someone to do it. More traditional all digital vectors probably give you a lot more bang for the buck.

The gift that keeps on giving

[maroberts]

When you put links to Tubgirl and Goetse on top of realtors(estate agents) QR codes

Subversion time.

[SuricouRaven]

1. Find film posters.
2. Apply QR code pointing to a pirate source for that film.
3. No profit. That's the idea.

I predict... BlipQRs!

[drkim]

I predict the next QR code attack will be:
Malware QR codes blinked on TV screens, or web pages, just long enough to drive exposed phones and devices to hostile sites.

Sorta like digital subliminals.

[hackeddomain.com]

[alostpacket]

I think it's interesting that slashdot got it. Maybe there is no pure security out there, but clearly there are preventative steps that could help.

I'll risk person has same.

[Impy+the+Impiuos+Imp]

Follow the money. Sooner or later someone has to take money out of the ultimate destination account.

Then, testicleectomy is warranted.