QR Codes – Friend or Foe?

Websense has revealed that its ThreatSeeker Network has started spotting spam emails leading to URLs that use embedded QR codes. Websense believes this new spam sting was just a matter of time, and is a sign of a move among spammers towards targeting mobile technology. The company recently suggested that mobile threats were going to be big this year, and that QR codes could be the next step in mobile malware propagation.

“We’ve been looking at QR codes as a potential malware/spam route for a while now,” says Websense security researcher, Elad Sharf. “Inherent in the design is a level of trust and novelty that can be abused. In many ways, it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technology. Last year we predicted a 2012 shift towards mobile device attacks. One week in to the new year and that prediction is evident.”

Websense is not along in airing its concerns about QR codes. PC and mobile security firm BullGuard is also urging caution over the use of QR codes, claiming that they could become a target for hackers and malicious users looking to steal personal data in 2012. Bullguard notes that QR codes are becoming ubiquitous, citing a study of 1,200 consumers carried out by Chadwick Martin Bailey that found that half of those surveyed interacted with a QR code when they saw one, with 21 per cent then going on to share personal information. But presuming they are harmless could be playing into the hands of cyber criminals, the company says.

“Primarily, QR codes are yet another way to expand the range of functionality available on smartphones, and provided a device has a QR code reader installed, many of which are available for free, it takes just seconds to scan a code using the phone’s camera and have it direct you to a product or service” says BullGuard CTO, Claus Villumsen. “While these are primarily used as a marketing tool for advertisers so that customers can get more information on products or services, cybercriminals know that services that pique interest or offer special deals are often prime targets for spreading malware, stealing identities and phishing for personal information. In other words, QR codes make things run faster and easier, but they can also pose a threat to your mobile security.”

BullGuard is advising consumers to think twice before they scan, and to avoid scanning QR codes on stickers posted randomly on walls and billboards, pointing out that QR codes can be generated by anybody and placed in public places with the intention of peaking an individual’s curiosity. These could redirect the user to malicious websites that ask you to download applications that may be infected with malware. These, in turn, could make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals. They could also attempt to steal your Google or Facebook password; track your location; install keylogging software; or send a text to a premium number, racking up your phone bill. Last year, a QR code-based attack installed a Trojan disguised as a mobile app called Jimm on a Russian users phone. Once installed, Jimm started to send a series of expensive text messages costing $6 each.

BullGuard also advises educating children on the nature of QR codes; using a QR code/barcode-scanning app that previews URLs; avoid scanning suspicious codes and links that don’t seem to match the ads they’re incorporated in; avoid shortened links; and consider installing a mobile security app. Funnily enough, BullGuard does one of these, BullGuard Mobile Security 10, though that doesn’t lessen the value of the advice the firm is offering.

Finally, BullGuard warns Android users to be especially vigilant, since Android is a more open platform, which means that its source code can be examined and exploited more easily by spammers, when they find a weakness in, for example, the Android browser. BullGuard advises users to make sure their Android browser is always up-to-date and only to scan QR codes from trusted sources.

Finally, the firm says, be particularly wary of QR codes that are linked to monetary and transaction services, as such direct links to money are typically prioritised by malicious third parties when choosing how and where to attack.


David Murphy writes:
Poor old QR codes – just as the world starts embracing them, people in the know start warning mobile users off them. The advice from BullGuard is well founded, as evidenced by the news from Websense that the attacks BullGuard warns against are starting to happen.

The thing to remember is that scanning the QR code is, of itself, unlikely to cause you any hassle. It’s the link the code takes you to where the problems could potentially begin. So an element of common sense is called for. If you think the QR code you are scanning should take you to a mobile site to enter a prize draw sponsored by Cadbury’s, and the place you end up looks nothing like it, get the hell out of there.

That said, the point BullGuard makes about educating kids is an excellent one. How many teenagers in the developed world don’t have a smartphone these days. The point the firm makes about installing a security suite on your phone is also well made, notwithstanding the fact that security suites is what they do for a living. After all, we all accept that the thing we call a phone is actually a computer. And how many of us would consider using a computer without some sort of anti-virus system in place? The issue of mobile spam is definitely food for thought.