Sign in / up

back to article That square QR barcode on the poster? Check it's not a sticker

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites. QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes ( …

COMMENTS

House rules Send corrections
This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    Devil's Advocate

    We need a new profession (ideal for all the EEyors and Marvins of the world) - professional naysayer. Someone whose job it is to find fault with new ideas (like QR barcodes).

    Then again, they could just post their brilliant concepts here, and have it done for free.

    5 9
    1. Lee Dowling Silver badge
      Reply Icon

      Re: Devil's Advocate

      There's nothing wrong with QR codes, as such. If anything, they are working perfectly.

      The problem is, was, and always has been browsers that do not act on the COMPLETELY UNTRUSTED DATA that they receive from the network in the proper fashion (i.e. trusting nothing, and checking everything).

      It's like saying that a sticker that says "Stick your head in a gas oven" is dangerous. It might be. But only if you blindly and trustingly follow its instructions without question no matter what the content.

      The fix here is not to stop using QR codes - it's to stop using browsers that are so full of "features" that visiting a URL becomes a dangerous gamble. At absolute worst, the browser should do one of those "This page is taking up too much CPU time, do you want to stop it?" messages. It should not crash, try to download, steal data or otherwise exploit your machine. And it's nothing to do with making a "perfect" secure app, which doesn't exist, it's about being sensible with the data you're given, i.e. not running scripts, plugins, triggering downloads, etc. by default.

      I use Opera and when we have a "dodgy" URL come up in my workplace (a school), I often have to trace it back to the original user. This usually means going to the server logs and copy/pasting suspected bad URL's from them to check their content. Although I run it in a VM in those instances (no use ASKING for trouble), Opera, by default, just doesn't let you do anything stupid and has the least number of vulnerabilities published for it (and has had since about Opera 3.5). I can literally just copy/paste a known exploit URL in there and 99.9% of them won't work (because they rely on Java, ActiveX, or some other junk) and the ones that "try" to work by triggering downloads, running executables, opening lots of pages, etc. or even crashing the browser I can easily cancel before they can do any damage.

      And even then, they can't jump out of the virtual machine even if I just used IE and double-clicked everything. If you can do that in a VM, you can push also that separation-while-enjoying-full-functionality down to the application (the VM is nothing but an application).

      There's nothing wrong with QR codes that isn't also wrong with bookmarks/favourites, URL's in your IM, URL's themselves(!), URL shortening services or just about any method to transfer a URL (e.g. that "bump-together" junk that's in smartphones now). The problem is in browsers that don't treat untrusted HTML data off a network as exactly that - untrusted.

      24 0
      1. Robert Carnegie Silver badge
        Reply Icon

        Opera 12.11 does have a teeny embarrassing vulnerability at the moment

        And probably always has, at least for a long time, since it's a type of malformed GIF that can crash the browser or theoretically execute arbitrary code. It seems that some bastard researcher published it to the world as soon as he found it.

        It seems to be fixed in the snapshot preview release of Opera 12.12, so you want to install that ASAP or when released generally. And meanwhile maybe browse without images or program your firewall to treat the string "GIF89" as a virus. (I think I've seen Javascript load up images when I was using cached-image-only mode, but no-images-at-all may be more robust.)

        1 0
      2. Syntax Error
        Reply Icon

        Re: Devil's Advocate

        The answer is to stop using QR codes.

        Firstly I can read a URL but I can't read a QR code.

        Secondly I know which web sites I have bookmarked - thanks.

        Thirdly I don't have time or the inclination like most users or luxury of using a VM so I cant kill off my system if it gets infected by malware. .

        QR codes are just another gimmick from the marketing world and hopefully die off together with tiny urls

        1 1
        1. MrT
          Reply Icon

          Finally...

          ... a reason to use Aurasma.

          And it also answers the security issue because most of the time their links don't and active content isn't.

          0 0
        2. Harry
          Reply Icon
          Thumb Up

          Re: Firstly I can read a URL but I can't read a QR code.

          When I scan a QR code, the app that reads it pops up "Do you wish to visit www.whatever.co.uk" and gives me the choice to go there or not.

          So, I can effectively read a QR code just as well as I can read a URL.

          0 0
    2. akicif
      Reply Icon
      Holmes

      Re: Devil's Advocate

      The profession already exists: tester

      It's very foolish to let New Stuff into the wild without at least some degree of checking on potentially dodgy applications....

      4 0
    3. Phil O'Sophical Silver badge
      Reply Icon
      Coat

      Re: professional naysayer.

      Woe, Woe and Thrice Woe. Citizens of the web, repent your ways...

      1 0
    4. Trevor_Pott Gold badge
      Reply Icon

      We need a new profession: professional naysayer.

      Feck off, that's my job. I don't need the competition, mate.

      0 0
    5. J. R. Hartley
      Reply Icon
      Thumb Down

      QR codes...

      ...Are shite.

      0 1
  2. Ole Juul

    Rickrolling

    Been around for a while.

    9 0
    1. Silverburn
      Reply Icon
      Thumb Up

      Re: Rickrolling

      Indeed. I thought of this the moment i first saw one.

      0 0
      1. Simon Harris
        Reply Icon
        Facepalm

        Three words...

        'Told you so!'

        Damn, now they'll all think it was me!

        0 0
    2. Richard Wharram
      Reply Icon
      Unhappy

      Re: Rickrolling

      Rickrolling was one of my later thoughts to be honest.

      My first was LemonParty, then BlueWaffle. Then a classic Goatse or even 2G1C.

      Thinking of Rickrolling was a kind of relief after that.

      5 0
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Goatse been done.

        By friends of mine earlier this year in my local area. For the lulz, of course.

        1 0
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Rickrolling

      We're no strangers to love

      You know the rules ... and so do I

      A full commitment's what I'm ... thinkin' of

      You wouldn't get this from any other guy

      I just wanna tell you how I'm feeling

      Gotta make you ... understand

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      We've known each other ... for so long

      Your heart's been aching, but ... you're too shy to say it

      Inside we both know what's been ... goin' on

      We know the game and we're ... gonna play it

      And if you ask me how I'm feeling

      Don't tell me you're to ... blind to see

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Oooooooooh ... give you up

      Oooooooooh ... give you up

      Never gonna give never gonna give

      Give you up

      Never gonna give never gonna give

      Give you up

      We've known each other ... for so long

      Your heart's been aching, but ... you're too shy to say it

      Inside we both know what's been ... goin' on

      We know the game and we're ... gonna play it

      I just wanna tell you how I'm feeling

      Gotta make you ... understand

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      0 0
  3. Disintegrationnotallowed

    Coincidentally...

    Symantec have launched one:

    https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v64690996_EndUserProfile_en_us&product=home&pvid=f-home&version=1&lg=en&ct=us

    1 0
  4. JDX Gold badge

    Quite a neat idea, well done crims.

    8 0
    1. David Hicks
      Reply Icon
      Meh

      Meh, I wouldn't grant them a patent on the technique, some of us cam up with that idea as soon as we heard about QR codes.

      And I've still *never* seen anyone use one.

      2 0
      1. Wensleydale Cheese
        Reply Icon

        Does anyone use them?

        And I've still *never* seen anyone use one.

        Pictures of People Scanning QR-codes

        Eh?

        Single-Serving Site of the Day: ‘Pictures of People Scanning QR Codes’

        2 0
        1. dssf
          Reply Icon

          Re: Does anyone use them?

          "Sian John, UK security strategist at Symantec, said: “There has been an explosion in the number of QR codes over the last couple of years,..."

          Explosion where? I first saw QR codes in Dec 2004, in Tokyo, and probably as early as May of that year in Japanese magazines at Kinokuniya book stores in the SF area. But, i only positively recall seeing them upon arriving in JP that year. Back then, and in 2005, using a phone camera in USA stores elicited scorn or threats of ejection. In Japan, consumers were EXPECTED to comparison shop, outright encouraged to do so. Empowering and informing the consumer. The less hip, less informed of USA merchants feared it, and took years to widespread adopt QR codes. Even shipping, airliner, and courier companies jumped on it sooner than retailers, if i recall correctly.

          2 2
          1. dssf
            Reply Icon

            Re: Does anyone use them?

            Ah, another down-thumb, on something that the downthumber cannot justify down-thumbing.

            Shit, I think I will go have a drink.

            Thanks, a LOT!

            1 2
      2. Psyx
        Reply Icon
        Pint

        "And I've still *never* seen anyone use one."

        Based on the number of "You BASTARD!" comments and texts I've had in the wake as using a Rickrolling QR code as an avatar to trick the curious, I think you may be incorrect!

        2 1
      3. Volker Hett
        Reply Icon

        I just used one with the google authenticator app. Barcode in the browser on the desktop computer and barcode reader on the phone for two phase authentication.

        0 0
    2. Anonymous Coward
      Reply Icon
      Unhappy

      @ JDX

      Not "well done", but certainly ingenious.

      0 0
      1. Oninoshiko
        Reply Icon

        @Marketing Hack

        It's kinda like a steak, "well done" is most assuredly not well done.

        1 0
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      The pron industry and crims, the two biggest drivers of web technologies.

      0 1
  5. Neil Barnes Silver badge
    Boffin

    Same old, same old...

    Can't see where you're going? Can see but don't know where it is? Then don't go there... it's not rocket science!

    I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

    6 0
    1. pabc
      Reply Icon

      Re: Same old, same old...

      we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

      There are some other uses - like embeded vcards on the back of you buisness cards to allow quick digitisation of the contacts details.

      3 2
      1. Parax
        Reply Icon
        Thumb Up

        Re: Same old, same old...

        Yup we have a staff wifi access point QR code too, only seems to allow connect on Android though, iphone reads it but does not allow you to connect.

        We also have a QR code on our corporate headed paper, it contains a business card with our phone numbers Address, website and email. just scan and save our business to your phones address book. or just scan to call/email etc.

        0 0
      2. Steve Knox
        Reply Icon
        Thumb Up

        Re: Same old, same old...

        we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

        So all a hacker needs is some stickers and a wifi bridge or two, and voila - man-in-the-middle!

        1 0
        1. sabroni Silver badge
          Reply Icon

          Re: So all a hacker needs is some stickers

          And access to the building! If the baddies are inside then dodgy QR codes may well be the least of your worries...

          0 0

          1. This post has been deleted by its author

    2. Paul Shirley
      Reply Icon

      Re: Same old, same old...

      It's also a very convenient way to point smartphone users at app (or other) downloads from a PC browser.

      The QR reader I use shows the decoded data and waits for the user to choose what to do with it. In theory safer than a traditional hyperlink because you always see the unobfuscated content before accepting it, something you actively need to check with a hyperlink.

      You still need some way of assessing the trustworthiness of the exposed link but that's true for any link. Seeing a sticker slapped on a poster is a pretty big clue not to trust it though.

      3 0
    3. Mike Flugennock
      Reply Icon

      Re: Same old, same old...

      I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

      Y'know, I'd never really thought of that. There may be other uses for them, for sure, but most of the time, in all my comings and goings, the vast majority of QR codes I see have been in the context of advertising.

      0 0
  6. Matt_payne666

    to be honest, im surprised its taken this long to become an issue... the number of these things ive seen spring up, with no accompanying text is quite alarming and I live out in the sticks!

    even ive been tempted to make my own QR labels - nothing evil, just pointing to an educational site saying - 'you were lucky this time' and see how much traffic I can generate!

    6 0
    1. Andrew Moore
      Reply Icon

      I did it a couple of years ago when QR codes first appeared. My QR code just redirected to a website that had the message "stop buying useless crap"

      2 0
      1. JDX Gold badge
        Reply Icon

        What a witty and interesting person you must be.

        3 6
        1. pepper
          Reply Icon

          I thaught that hello.jpg would be a better target. Alas, I should have acted on that impulse.

          Would still be fun to slap in the bathroom of random pubs though, especially near the sink.

          0 1
          1. Mayhem
            Reply Icon

            The library one

            I liked the university library one linked here last time we discussed these.

            When scanned, it said "Please turn off your mobile phone"

            I know of two other libraries which now have the same design in strategic locations.

            0 0
            1. Oninoshiko
              Reply Icon
              Thumb Down

              Re: The library one

              Why would I turn off my phone in the library?

              I would think putting it on "silent" (which is what I do) would be fine.

              0 0
  7. Anonymous Coward
    FAIL

    Symantec and The Reg on the ball as usual

    "Posted by Katleen Richardson on Thu, Feb 02, 2012 @ 01:18 PM"

    http://www.marketing-advantedge.com/blog/bid/122193/Beware-of-fake-QR-codes

    3 1
    1. Robert Carnegie Silver badge
      Reply Icon

      Re: Symantec and The Reg on the ball as usual

      Recently I tried to find the original date of a TV show that quoted a report of incautious young people using nutmeg as an hallucinogen. (It actually is, apparently, but it's less fun than some other ones - but you can buy it in supermarkets.)

      But I couldn't tell when - because it's a story that keeps coming up again and again.

      0 0
      1. sabroni Silver badge
        Reply Icon

        Re: using nutmeg as an hallucinogen.

        I wouldn't recommend that, I believe hallucinogenic doses of nutmeg can also be harmful, even occasionally fatal. Tripping while suffering from palpitations, convulsions and nausea is probably not much fun. There are much less risky hallucinogens around if you must partake.

        0 0
        1. Destroy All Monsters Silver badge
          Reply Icon
          Devil

          Re: using nutmeg as an hallucinogen.

          There was an article in NewScientist back in the 90's about bad tripping on nutmeg.

          und.. und..... MUSKATNUSS! MUSKATNUSS HERR MÜLLER!! HABEN SIE VERSTANDEN, HERR MÜLLER?

          0 0
  8. jb99

    Is it a problem though?

    I see lots of QR codes on advertising but I don't think I've once seen anyone scan one, and I don't suppose I ever would.

    1 0
  9. TeeCee Gold badge
    Meh

    Fruit altitude.

    Well, if you have your device configured to fire the action associated with a QR code immediately, rather then presenting you with what it's about to do or where it's about to go and asking for your confirmation, congratulations! You are low-hanging fruit.

    The only surprise here is that its taken the scrotes this long to spot the obvious boot-filling opportunity for presenting obfuscated URLs to mugs.

    I'm still waiting for the howls of anguish when some mob compromises one of the URL-shortening services though......

    2 0
  10. Anonymous Coward
    Meh

    Url warning

    I never used QR codes myself (no need), and maybe this is implemented already but, none of the QR readers out there display a message about the url the user is going to visit?

    0 0
    1. Avatar of They
      Reply Icon
      Thumb Up

      Re: Url warning

      Mine (free off android) pops up something like "The URL is http:\\blahblah are you sure you want to?"

      I guess some people are idiots and don't deserve the right to have a smart phone.

      10 0
      1. JDX Gold badge
        Reply Icon

        Re: Url warning

        I think mine (built into search on WindowsPhone) shows the URL floating about too.

        And pur-leeeze. Nobody has the 'right' to a smartphone you arrogant pin-head. Since 90%+ of IT is used by "idiots" I think you should be careful what you wish for, lest you find yourself out of a job.

        2 1

Page:

This topic is closed for new posts.

Other stories you might like