QR Code Phishing — With Stickers

We’ve seen QR code attacks before. They revolve around the obfuscatory nature of QR codes: you can’t tell by looking at one where it’ll send your device when you scan it. Therefore, the destination site might be host to a drive-by exploit. The link itself could, theoretically, even exploit the scanning software.

How does the attacker get you to scan a bad code? Well, by putting it in front of you. This doesn’t necessarily mean buying lots of ads and putting bad QR codes on them; that could be easily traced. They can just go around slapping malicious QR code stickers over the QR codes on legit ads. It’s not like anyone’s going to look closely…

All the more reason to cast your smartphone into a concrete pedestal, and position it in a wide-open space. Why? Because you installed a special app on it, and the screen now says “Tap here for burrito”: http://hackaday.com/2012/12/09/the-burrito-bomber/


“QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes (rather than links) as a jump-off point to dodgy sites, cybercrooks can disguise the ultimate destination of links.[…]

Warren Sealey, director enterprise learning and knowledge management, Symantec Hosted Services explained: “we’ve seen criminals using bad QR codes in busy places putting them on stickers and putting them over genuine ones in airports and city centres.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: