Warnings have been made about Quick Response codes as they begin to be impacted by cyber criminals.
A QR code is a two-dimensional matrix barcode and, when scanned by a camera phone, will link the user directly to the mobile web, usually a social media site, online video or promotional page.
Websense said its ThreatSeeker Network has begun to spot spam emails leading to URLs that use embedded QR codes. In the cases spotted, a spam email arrives with a URL; if clicked on, a QR code appears and, if a user scans it, it leads them to pharmaceutical spam.
Elad Sharf, security researcher at Websense Security Labs, said: “We've been looking at QR codes as a potential malware/spam route for a while now. Inherent in the design is a level of trust and novelty that can be abused.
“In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technology.”
Paul Vlissidis, technical director at NGS Secure, an NCC Group company, said the concern with QR codes is that control is taken out of users' hands and there is no indication on the code of the URL you are being transferred to, so there is no way of checking in advance whether it is genuine.
“Even more worrying, while a computer will warn you if you have clicked on a link to an unverified site, a smartphone will take you there directly. QR codes on billboards are surprisingly easy to manipulate, all it takes is for a fraudster to place a sticker over the existing code, and unsuspecting users can be directed anywhere. Malicious sites can start downloading malware to a device without buttons being pressed or files opened,” he said.
One notable attack via QR code took place in Russia in 2011, where a Trojan disguised as a mobile app called ‘Jimm' was installed and started to send a series of expensive text messages that cost users £4 each. Paul Henry, security and forensic analyst at Lumension, said QR codes take URL obfuscation to the next level, particularly at a difficult time when malicious URLs continue to be a problem.
The problems with shortened URLs has been well documented, but could this be a new tactic that industry is falling behind? James Lyne, director of technology strategy at Sophos, said "convenience consumer technologies" are opening up new vectors of fraud; QR codes manipulated simply with a sticker over a corner of a legitimate code will direct the user to a spam site or worse.A study by Chadwick Martin Bailey and iModerate Research Technologies found that around half of 1,200 consumers interacted with a QR code when they saw one, with 21 per cent then going on to share personal information. Curiosity and information-gathering were the primary reasons for wanting to scan a code, and the promise of discounts and special offers seemed to be the most effective way to generate interest.
Claus Villumsen, CTO at BullGuard, said: “While these are primarily used as a marketing tool for advertisers so customers can get more information on products or services, cyber criminals know that services that pique interest or offer ‘special deals' are often prime targets for spreading malware, stealing identities and phishing for personal information.
“In other words, QR codes make things run faster and easier, but they can also pose a threat to your mobile security.”
BullGuard recommended using a mobile QR code-scanning app that previews URLs and to avoid scanning suspicious codes and links that do not match the adverts they are incorporated into.
This is going to be a tricky one for security vendors to mitigate – it is being driven by marketing departments keen to embrace a clever new techhnology, and public adoption is hard to control. Perhaps this just needs better application development as BullGuard suggests, before it gets out of hand.