QR codes have loads of handy uses — but like almost everything else in technology, they can also be exploited by the nasty-minded for their own evil schemes. Anti-malware software developer AVG reminds us that scanning a QR code onto your phone when you’re not sure of the provenance can be a risky business.
Picture by Mathieu Plourde
QR codes are increasingly being used on outdoor media such as posters, but AVG points out that this could easily be used as a means to divert people to malware-laden sites or to steal personal details:
Malicious QR codes can be easily generated and placed as stickers over the legitimate QR codes for both small and large-scale attacks on personal and financial identity. Printed flyers offering irresistible deals, but accessible only via a QR code, could easily be left in public places. By such simple means, cyber criminals, skilled at using sophisticated attacks like spear phishing or other variants of social engineering, can then use their own malicious QR code to phish or pharm the unsuspecting smartphone user to a web page designed to look as though it is a legitimate advertiser. The cyber criminals will have their own web form with instructions on how to sign-up for a service or competition, or purchase some bargain. By completing the form victims provide them with private details and/or money.
As with most security threats, the key is to have a slightly cynical attitude and also have security measures in place. If you’re snapping a QR code in the street, it’s fairly easy to check if it’s the original.