Before scanning that QR code you just saw give it a second thought, Is it a clean code that will redirect you to an authentic site for the information you seek or a malicious code to breach your mobile security?
It seems like everywhere you look these days in business cards, ads, posters, websites, magazines, buses, almost on any object about which you might want to know more, you see a QR code which have proved to be the cheapest and easiest way to link the real world with the virtual.
QR code short for ‘Quick Response' code is a small two dimensional barcode that somewhat look like a scrambled checkerboards, invented by the Japanese corporation Denso Wave in 1994. Although these codes have been around for almost two decades, they were mainly used for industrial purposes until the last few years.
Why are QR codes so popular?
A Quick Response code is a type of matrix barcode that can store alphanumeric characters, in the form of URL's or text encoded in both vertical and horizontal direction, thus increasing its capacity of holding data than the traditional single dimensional barcodes i.e. 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.
All you have to do is take a picture of a QR code with your smartphone camera and a QR reader application to scan it, the link within will direct you to websites, online videos or launch apps. The problem is there is no way to tell what's behind that QR code until scanned by QR code reader app. The biggest risk is if someone sees a random QR code that's not connected to anything just a sticker on the wall people cannot deny their own curiosity, they will scan it because they want to know what it is, and attackers depend on this curiosity and craft their attacks.
Mobile Malwares:-
According to McAfee Labs Mobile malwares have doubled in last year.
Scams involving QR codes are gaining popularity. There are many cases of malicious QR codes being neatly placed over legitimate ones known as QRishing similar to phishing attacks.
IOS Device:-
On IOS devices for example, hackers are using jail-break exploits to send users to websites that will jailbreak the device. When a user scans a QR code he is redirected to an unknown website. These are drive by download attack, where these website hosts modified jailbreak exploits. Once visited the user phone will be jail broken and additional malware would be installed such as GPS trackers and key loggers.
Android Based System:-
As Android is an open platform, cyber attackers can examine its source code easily and exploit its weaknesses. This makes it more susceptible to QR code attacks because android allows applications to run in the background and offers more app freedom. On an Android based system, the chances of getting infected are often much higher since applications are allowed to do actions such as sending SMS, taking pictures, making calls etc.
How to protect yourself from malicious QR code?
It seems like everywhere you look these days in business cards, ads, posters, websites, magazines, buses, almost on any object about which you might want to know more, you see a QR code which have proved to be the cheapest and easiest way to link the real world with the virtual.
QR code short for ‘Quick Response' code is a small two dimensional barcode that somewhat look like a scrambled checkerboards, invented by the Japanese corporation Denso Wave in 1994. Although these codes have been around for almost two decades, they were mainly used for industrial purposes until the last few years.
Why are QR codes so popular?
A Quick Response code is a type of matrix barcode that can store alphanumeric characters, in the form of URL's or text encoded in both vertical and horizontal direction, thus increasing its capacity of holding data than the traditional single dimensional barcodes i.e. 7,089 numeric characters or 4,296 alphanumeric characters and can store up to 2KB of data.
All you have to do is take a picture of a QR code with your smartphone camera and a QR reader application to scan it, the link within will direct you to websites, online videos or launch apps. The problem is there is no way to tell what's behind that QR code until scanned by QR code reader app. The biggest risk is if someone sees a random QR code that's not connected to anything just a sticker on the wall people cannot deny their own curiosity, they will scan it because they want to know what it is, and attackers depend on this curiosity and craft their attacks.
Mobile Malwares:-
According to McAfee Labs Mobile malwares have doubled in last year.
IOS Device:-
On IOS devices for example, hackers are using jail-break exploits to send users to websites that will jailbreak the device. When a user scans a QR code he is redirected to an unknown website. These are drive by download attack, where these website hosts modified jailbreak exploits. Once visited the user phone will be jail broken and additional malware would be installed such as GPS trackers and key loggers.
Android Based System:-
As Android is an open platform, cyber attackers can examine its source code easily and exploit its weaknesses. This makes it more susceptible to QR code attacks because android allows applications to run in the background and offers more app freedom. On an Android based system, the chances of getting infected are often much higher since applications are allowed to do actions such as sending SMS, taking pictures, making calls etc.
For example, a popular attack via QR code took place in
Russia, and involved a Trojan disguised as a mobile app called Jimm. This malicious application required the following user permission.
 |
| User permission for Jimm. |
Once installed, "Jimm”
started to send a series of expensive SMS’s to premium numbers ($6 each).
Phishing Attack:-
Attackers are using QR codes to redirect users to fake websites for phishing. A malicious QR code will redirect users to a fake bank website that will look exactly like original bank website. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her information and hand it to the attackers.The frequency of these attacks is not yet high, but it is definitely worth keeping an eye out.
Phishing Attack:-
Attackers are using QR codes to redirect users to fake websites for phishing. A malicious QR code will redirect users to a fake bank website that will look exactly like original bank website. Since most smartphone screens are small, a normal user may not see the difference and will type in his or her information and hand it to the attackers.The frequency of these attacks is not yet high, but it is definitely worth keeping an eye out.
How to protect yourself from malicious QR code?
- Use a QR code reader app that has built-in security features.Just like getting an anti-virus program for your computers and laptops, there are many proactive software to help you protect your mobile device from such malicious QR code.
- Norton Snap a QR code reader available for both Iphone and android scans a QR code and check the link, its content is shown to user before the link is visited so that the user can decide whether to continue loading the link or not.
- Inspect the QR code and make sure it's not a sticker.While many QR code are found on website, the majority of the code you will encounter will be in the real world. You might have seen codes on stores displays, coffee shops or on any posters, before you scan it feel it and make sure it's not a sticker that has been placed over the real code.
- Be Suspicious.If the QR code destination website asks for your personal information, don’t give it unless you have some trustworthy way of verifying that the website is legitimate. Still if you feel suspicious use your Common Sense, don’t fill it out.
Conclusions
- The success behind QR code usage is largely pinned on its sheer simplicity. Marketing specialists love this technology so do cyber criminals. Therefore, be very careful when pointing your smartphone’s camera at a QR code.
- Only use QR code reader software that allows the user to confirm the action to be taken i.e. visit a website or if you do not know and trust the link, cancel the action.
No comments:
Post a Comment