QR Codes: Convenient and…Dangerous

These now-familiar square images you see in ads, magazines and posters have proved to be the easiest and cheapest way to link the real and the virtual worlds. All you have to do is take a picture of a QR code with your smartphone camera and you can follow a link to information on a website, save a contact’s telephone number or download an application. Marketing specialists love the technology for its sheer simplicity, but so do cybercriminals. Therefore, you need to be very careful when pointing your device’s camera at a QR code.

A QR code (QR being short for quick response) can contain all sorts of text information and/or links to online resources. QR codes have been popular for quite some time in Asia, and are now gaining popularity in Europe and the Americas. They can be seen everywhere: on billboards, goods exhibited in stores, on websites, various types of tickets and coupons…the list goes on and on. At the same time, scams involving QR codes are also gaining in popularity. There are many cases of malicious QR codes being neatly placed over legitimate ones. This practice, with similarities to phishing, has come to be known as QRishing.

It doesn’t take much stretch of the imagination to see just how dangerous a QR code could be when displayed in a public place: in the subway, at an airport, a train station, or in a bank, for instance on an ATM. Most people will implicitly trust adverts, and would never imagine such a threat could be lurking in the building of a major bank.

When a user takes a photo of a QR code, the link it stores is first displayed on the device’s screen; however, cybercriminals also use URL shortening services (such as bit.ly and others) to disguise the ultimate address stored in the QR code which may lead to a page with malware that steals the user’s credentials or to a phishing site. The situation is further complicated by the fact that a mobile browser may not always be capable of displaying the complete URL of the opened page, which is a real handicap when trying to spot a scam. To make matters worse, mobile devices are often not as well protected from malware.

There are many cases of malicious QR codes being neatly placed over legitimate ones. This practice, with similarities to phishing, has come to be known as QRishing.

To reduce this type of threat, follow three simple recommendations:

  1. Be careful. Before scanning a QR code, make sure it is not covering another code. If in doubt, do no scan.
  2. After opening an app store or a website in your browser, make sure that the QR code has taken you to the place you expected to go. If you are about to install an application, make sure it was developed by the company whose ad or info you saw. Check to see the application’s rating and/or customer feedback. If there are very few or none at all, it’s best to postpone the installation. If a code leads to a website, check the complete URL; otherwise, you may fall victim to a phishing scam. Extra caution is advised before entering your personal data or credentials, including email or e-banking data.
  3. If your smartphone allows the installation of security applications that check sites for malicious content and downloaded software for malware, make sure you install such an application. This is especially appropriate for Android smartphones, which are now targeted by thousands of malware programs.
  • Share
  • Pin It

Comments

  1. matt says:

    Can you tell me or send me a link to an official QR app for samsung galaxy s2 please because I don’t know the name of an official QR company plus I don’t want to download an QR app that isn’t official and contains viruses trojans ect.

  2. A great post and very important points. It is common for a new technology to become the subject of misuse. By adding elements such as their logo, companies can add to the authenticity and genuineness of a QR code.

  3. Ian Button says:

    No authenticity is added by adding a logo in a fake QR code – the unsuspecting public is just further deceived. Anything printable is easily faked, and if not human-readable can’t easily be checked!

  4. ian says:

    I agree – good post. But the last comment – not sure. Sounds like any disk with the queen’s head printed on it is a valid coin?

  5. matt says:

    Ok thanks for your help everyone :)

  6. Fred says:

    The guys who coined the term (and performed the original research) are at CMU

    http://www.cylab.cmu.edu/research/techreports/2012/tr_cylab12022.html