Malicious QR Code Use On the Rise 234
New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"
Some scan apps can show URL and ask first (Score:5, Informative)
The QR scanner app [apple.com] that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.
My phone shows the destination (Score:1, Informative)
Google goggles and QR scanner on Android both show the destination.
Not a very new problem. (Score:3, Informative)
QR codes don't all have destinations (Score:5, Informative)
You can do a lot with QR codes that have no destination at all, they are not restricted to web links. [qrstuff.com]
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.
But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.
Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.
Comment removed (Score:5, Informative)
Re:Not a very new problem. (Score:5, Informative)
http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?
https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/ [mozilla.org]
Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)
Re:Does anyone have a QR code to a Rick Roll? (Score:2, Informative)
Google has an API to create one on the fly. Use this base URL and append any URL you want to the end and you've got a QR code.
https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl= [googleapis.com]
Just add a youtube link to the video and viola.
Re:Just like with TinyURL... (Score:5, Informative)
>With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.
That is why God made preview.tinyurl.com
--
BMO
Re:Just like with TinyURL... (Score:5, Informative)
Which is where LongURL [longurl.org] comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.
Re:Where's the OCR? (Score:3, Informative)
The obvious answer is that QR codes are useful to scan something with crappy resolution, like a phone display, using something with crappy resolution, like a phone camera, and to process it in real-time using something with crappy computing power, like a phone cpu. The fact that it works at all is really kind of amazing.