Anti-virus and Internet security software specialists, AVG (AU/NZ) , has warned of the potential dangers to business and consumer users of smartphones and tablets in using QR, or quick response codes.
QR codes are the matrix style, geometric barcodes that can be seen in magazines, on billboards, street posters, and merchandise etc. that are readable by smartphones and provide convenient access to information, incentives and special deals.
Initially used for tracking parts in vehicle manufacturing by Toyota subsidiary Denso-Wave, QR codes are now used in a much broader context, including both commercial tracking applications and convenience-oriented applications aimed at mobile phone users.
While they may seem like an effective, and harmless, form of advertising and marketing, AVG are now warning that QR codes can be targeted and manipulated by cyber criminals to easily steer victims to malicious web sites in a new avenue to steal identities and commit fraud.
Malicious QR codes can be easily generated and placed as stickers over the legitimate QR codes for both small and large-scale attacks on personal and financial identity. Printed flyers offering irresistible deals, but accessible only via a QR code, could easily be left in public places.
By such simple means, cyber criminals, skilled at using sophisticated attacks like spear phishing or other variants of social engineering, can then use their own malicious QR code to phish or pharm the unsuspecting smartphone user to a web page designed to look as though it is a legitimate advertiser. The cyber criminals will have their own web form with instructions on how to sign-up for a service or competition, or purchase some bargain. By completing the form victims provide them with private details and/or money.
Using other less subtle tricks, the bad guys can direct browser users to malicious web pages and install malware on their mobile device.
Lloyd Borrett, Security Evangelist of AVG (AU/NZ), has a very clear message for users of smartphones, or any other mobile computer device with in-built cameras.
“You must think of your device as the being the powerful mobile computer it is. Take similar security precautions when out and about with your smartphone or tablet as you do when using a personal computer at home or work. Have always on, up-to-date security software installed on your device. And, always think through every action before you click on a bargain,” says Borrett.
Tips for QR code safety include:
- never implicitly trust any QR code - be suspicious and alert at all times
- make sure security software is installed on the mobile device - AVG have free and paid security software solutions available, like AVG Mobilation for Android
- if a QR code leads to a web page that asks for a user name, password, bank account details, and/or credit card details, then the person behind the web page should not be trusted
- if a QR code leads to a web page that requires the user to log in, then do not login - instead, go directly to the web page by putting the correct URL into the browser address bar.
“Yet they need to be doing much more, including installing a good security solution like AVG Mobilation for Android. Then they will have protection in place that will check apps and web site content for malware should they be tricked into using a malicious QR code,” he adds.“Please be warned that QR codes aren't the only mobile tagging code format in use,” Borrett added.
Borrett also stresses that there are a number of other proprietary and non-proprietary, optically readable codes around. For most of them the same security concerns and safety warnings apply and users are urged to play it safe when using any kind of optically readable codes.