Mobile Security

Where, oh Where, Does That QR Code Lead?

0
By on Sep 04, 2013

What is square, flat, and black and white all over? If you answered “a QR Code”, you’re correct. One of the latest trends in consumer advertising, QR codes (short for “Quick Response”) are popping up on everything from billboard advertisements to restaurant menus, business cards and cereal boxes. Some can even be viewed from Google Maps, painted on the roofs of office buildings. They’re everywhere. Used mostly for advertising and promotional campaigns until recently, new research shows that these seemingly harmless square graphics, while fun to scan and follow, may bring about more harm than good.

A close cousin to the more traditional UPC “barcode,” the QR code first came into existence in Japan in 1994, as a means of quickly tracking automotive vehicles during the manufacturing process. Unlike conventional barcodes, QR codes are two-dimensional. This means that they can store data both horizontally and vertically, giving them the ability to store more than 100 times the amount of information as a conventional barcode.

Recently, QR codes have become more commonplace, found in advertisements, on retail items, and a slew of other fun and functional uses that we might not even notice. And with the rise of smartphone ownership, users now have the ability to scan these codes, giving companies additional incentive to use them in more creative and visible manners. By placing QR codes on company promotional material, advertisers are able to direct the user to a website or video, enable them to enter an online contest, or even download an app – simply with the scan of a code.

Herein lies the problem. The problem with such simple access to information through QR codes is precisely what makes them so much fun – the element of surprise. Until your QR code reader redirects you to the intended destination, you are in the dark about what that destination will be. In this regard, it’s different from clicking on a link or manually typing a URL into your Internet browser. Simply put, there is a component of blind trust involved, and cybercriminals are beginning to take advantage of this aspect.

Anyone can create a QR code in roughly 30 seconds. All you need to do is visit any number of free websites that allow for the creation of these codes, enter your intended information (a website, application, virtual business card, GPS map location, or image link) for the code to point to. Smartphone users, it’s even easier for you, as any number of QR scanner mobile apps also have this create-your-own-code function. And then viola, you have yourself a QR code that you can save as an image, possibly to print out for later, send in an email, add to your blog or any other number of uses. All a scammer has to do is insert a link to their malware-laden site or app. Then, once the code is created, the scammer can print some flyers or stickers—even paste the new QR code over another company’s legitimate one—to lure in unsuspecting victims.

A common tactic for QR code scammers is to point the victim to a website that contains a Javascript Trojan. When the website loads, the JavaScript automatically runs, infiltrating your system and embedding the Trojan which can then work to leach your data and send it back to the hackers for oftentimes illegal use. According to CSO Online, some malicious QR codes can even enable a hacker to control mobile phones to access your messages and GPS location-tracking data, turn on your camera, and listen in on phone conversations.

Given the apparent inability for you to discern between which QR codes are safe, and which are not, there are certain precautions that should be taken prior to scanning that little 2-D box:

  • Know the brand. If you are familiar with the company who is sharing the QR code, and the flier or piece of promotional material carrying the code looks legitimate, you can generally feel safe performing a scan. Be suspicious of QR codes that offer no context. Malicious codes often appear with little to no text.
  • Do not provide any personal information. If you scan a QR code and you’re taken to a website that asks for excessive personal information, leave the site. Be especially concerned if you’re ever asked for login information, birthdates, or other sensitive personal information, as it’s likely an attempt at phishing.
  • Use a QR code reader that offers a URL preview. In most of the top-rated QR scanner apps, there is an option that allows you to preview the URL before opening it. If you’re going to be using a QR reader on your mobile device while on the go, it is highly recommended that you turn this feature on. Apps that offer this URL preview include Scan, RedLaser, and QuickScan.
  • Create safe QR codes. Our own McAfee URL shortener, http://McAf.ee, helps you create safe QR codes by first creating safe shortened links. Just visit the http://McAf.ee site, copy and paste the link you want to shorten into the box. Press the “Go” button and your safe shortened link will be generated. You can then use your safe shortened link to create your QR code. McAfee shortened links are guaranteed to be safe because when you click on a link, if the destination has been flagged as risky, you are given the opportunity to back out, and are given our assessment of how safe it would be to continue. You will also be told the real web address and what kind of content the site contains.
  • Guard your device with proactive mobile protection. Criminal hackers are targeting mobile devices with the assumption that they don’t carry any security software. It’s time to start proving them wrong. Protect your device with McAfee® Mobile Security, comprehensive antivirus software which includes McAfee SiteAdvisor® safe search technology to warn you of dangerous websites embedded in QR codes.

Not all QR codes are malicious, but it’s important to follow the above best practices and know that a simple scan does not come without risk. For more mobile security tips, follow us at @McAfeeConsumer and like us on Facebook.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>