QR Codes By Marketers Can Attract Attacks On Smartphones

Quick Response (QR) Code is not a new technology, they are a rage in mobile evolved and data rich markets like the United States, Europe, Korea and Japan, however in India it’s a recent phenomenon and there has been an upward spike in usage of QR Codes by many leading brands in the past few months. The early adopters of this marketing technology in India range from food, hospitality and retailing to automobile, telecom and technology. The utility of QR codes is linked directly to Smartphone adoption. And these handsets are finding takers fairly rapidly in India. QR codes are becoming popular for mobile users to insert text and URLs into the mobile device without typing, getting coupons, links to companies’ websites or other digital content. Unfortunately they are also being discovered as an ideal way to distribute malware to unsuspecting victims. The user does not know what lurks behind the QR code until the malware is already installed and running. Putting a malicious QR code sticker onto existing marketing material or replacing a website’s bona fide QR code with a malicious one could be enough to trick many unsuspecting people.

A new type of spam campaign using QR codes has been recently spotted. This spam doesn’t utilise QR Codes straight away. While its messages seem as conventional pharma-based spam mails that connect with www.2tag.nl, a legitimate website serving a URL-condensing service as well as making QR Codes for URLs that have been condensed, interestingly, if the condensed web-address is hyphenated, it causes the end-user to stay on www.2tag.nl as also view the QR Code. In the meantime, if the spam’s recipient loads the 2tag.nl website from the junk e-mail onto his web-browser, he’ll find a QR Code exhibited on his screen alongside the entire URL for which the Code finds a solution. And as a QR Reader proceeds reading the QR Code, there occurs a mechanical download of the spam website alternatively.

Though this is the first time QR codes are reported as being used in spam, and none of such campaigns have yet been spotted in India or anywhere in Asia, ESET researcher Sieng Chye believes that such spam attacks may become popular.

“Such attacks will become common once this marketing technology gains popularity. China, for instance uses QR code on train tickets. The personal information such as ID/passport number stored in the QR code that’s printed in the ticket is readable by anyone who picks up the discarded ticket or if the ticket is not disposed properly. The information obtained from the tickets may be decoded by others and used for illegal purposes”, says Sieng Chye. “It is certainly possible to make use of QR code as a mechanism to spread malware. Potentially, if a malicious QR code is scanned, users can be redirected to malicious website where malware can be downloaded. For example, cybercriminals could target and exploit weakness of a mobile OS, like Android where malicious apps can be installed on user’s device through QR code”, adds Sieng Chye.

Spam campaign using QR codes was probably a test for cyber criminals to analyse smartphone users’ response to this social engineering tactic. The real aim of bad guys can definitely be spreading malware using poisoned QR codes. ESET warns smartphone users of not only paying attention to what links they click and what attachments they open on their devices, but where they point their mobile cameras, as malware now can be spread through QR codes, too.