facebook rss twitter

QR code smartphone clickjacking on the rise

by Mark Tyson on 11 December 2012, 11:00

Quick Link: HEXUS.net/qabqbn

Add to My Vault: x

QR codes are popping up more and more everywhere you go; on product labels, magazine adverts, posters and flyers. Reports of cybercriminals exploiting these codes by substituting the code graphic displayed for their own dodgy versions first came to light about a year ago. Last week at a technology forum in London Symantec representatives warned again of the threat of QR code clickjacking.

Scan me, I'm not shady

Often QR codes are used as a quick and handy way to share URLs with smartphone users. Looking at a QR code gives the consumer no clue to what it may link to and scammers have been exploiting this more and more according to Symantec. The reports last year of QR code misdirection were mainly from users snapping codes from spam adverts and so on in the digital realm. The latest warning is of scammers placing their QR codes on top of legitimate ones on posters and signs in high traffic and footfall areas.

Snapping a QR code can take you to a website, for instance, that is a phishing copy of the legitimate website. Or the QR code link could take a user to a website with a malware payload. Remember most Android users stuck on early versions of the fragmented OS don’t have the bug and security fixes enjoyed by the higher end and more modern Android handsets. Gingerbread is the most popular target for Android malware.

Director enterprise learning and knowledge management at Symantec Hosted Services, Warren Sealey said at the Ovum Banking Technology Forum 2012 in London last week that “we've seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres”.

A recent report suggests that scanning of QR codes by European consumers is up 96 per cent over the last two years. The next time you see a QR code and are about to pull the trigger please consider the likelihood of it being swapped by some scammers. At least look for signs of tampering, taping or an out of context design.



HEXUS Forums :: 14 Comments

Login with Forum Account

Don't have an account? Register today!
I never use them, by the time you have got to the app taken a picture and waited for it to process you might aswell have googled it.
Not a lot of point using them on a website where you could just use a link (and presumably that's where they are vulnerable to this clickjacking anyway*). But they are good for posters and presentations.


*or I could read the article :p Hmm OK so this is physical sticking a new QR code sticker ontop of a poster on a busy location. Fair enough, that's a legit threat. Luckily QR codes are quite easy to customise, which won't eradicate the problem, but will make it more hassle.
surely you're vulnerable anywhere, android especially is more vulnerable to clickjacking than iOS at present
Biscuit
I never use them, by the time you have got to the app taken a picture and waited for it to process you might aswell have googled it.
That's your phone. From entering my password it takes maybe 3 seconds at most to get a QR code opened.
i think you are exaggerating slightly, either way the differences between typing a word in google, and searching a QR code is not enough for me to want to use them, especially given these quite obvious safety risks.