back to article That square QR barcode on the poster? Check it's not a sticker

Cybercrooks are putting up stickers featuring URLs embedded in Quick Response codes (QR codes) as a trick designed to drive traffic to dodgy sites. QR codes are two-dimensional matrix barcode that can be scanned by smartphones that link users directly to a website without having to type in its address. By using QR codes ( …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Devil's Advocate

    We need a new profession (ideal for all the EEyors and Marvins of the world) - professional naysayer. Someone whose job it is to find fault with new ideas (like QR barcodes).

    Then again, they could just post their brilliant concepts here, and have it done for free.

    1. Lee Dowling Silver badge

      Re: Devil's Advocate

      There's nothing wrong with QR codes, as such. If anything, they are working perfectly.

      The problem is, was, and always has been browsers that do not act on the COMPLETELY UNTRUSTED DATA that they receive from the network in the proper fashion (i.e. trusting nothing, and checking everything).

      It's like saying that a sticker that says "Stick your head in a gas oven" is dangerous. It might be. But only if you blindly and trustingly follow its instructions without question no matter what the content.

      The fix here is not to stop using QR codes - it's to stop using browsers that are so full of "features" that visiting a URL becomes a dangerous gamble. At absolute worst, the browser should do one of those "This page is taking up too much CPU time, do you want to stop it?" messages. It should not crash, try to download, steal data or otherwise exploit your machine. And it's nothing to do with making a "perfect" secure app, which doesn't exist, it's about being sensible with the data you're given, i.e. not running scripts, plugins, triggering downloads, etc. by default.

      I use Opera and when we have a "dodgy" URL come up in my workplace (a school), I often have to trace it back to the original user. This usually means going to the server logs and copy/pasting suspected bad URL's from them to check their content. Although I run it in a VM in those instances (no use ASKING for trouble), Opera, by default, just doesn't let you do anything stupid and has the least number of vulnerabilities published for it (and has had since about Opera 3.5). I can literally just copy/paste a known exploit URL in there and 99.9% of them won't work (because they rely on Java, ActiveX, or some other junk) and the ones that "try" to work by triggering downloads, running executables, opening lots of pages, etc. or even crashing the browser I can easily cancel before they can do any damage.

      And even then, they can't jump out of the virtual machine even if I just used IE and double-clicked everything. If you can do that in a VM, you can push also that separation-while-enjoying-full-functionality down to the application (the VM is nothing but an application).

      There's nothing wrong with QR codes that isn't also wrong with bookmarks/favourites, URL's in your IM, URL's themselves(!), URL shortening services or just about any method to transfer a URL (e.g. that "bump-together" junk that's in smartphones now). The problem is in browsers that don't treat untrusted HTML data off a network as exactly that - untrusted.

      1. Robert Carnegie Silver badge

        Opera 12.11 does have a teeny embarrassing vulnerability at the moment

        And probably always has, at least for a long time, since it's a type of malformed GIF that can crash the browser or theoretically execute arbitrary code. It seems that some bastard researcher published it to the world as soon as he found it.

        It seems to be fixed in the snapshot preview release of Opera 12.12, so you want to install that ASAP or when released generally. And meanwhile maybe browse without images or program your firewall to treat the string "GIF89" as a virus. (I think I've seen Javascript load up images when I was using cached-image-only mode, but no-images-at-all may be more robust.)

      2. Syntax Error

        Re: Devil's Advocate

        The answer is to stop using QR codes.

        Firstly I can read a URL but I can't read a QR code.

        Secondly I know which web sites I have bookmarked - thanks.

        Thirdly I don't have time or the inclination like most users or luxury of using a VM so I cant kill off my system if it gets infected by malware. .

        QR codes are just another gimmick from the marketing world and hopefully die off together with tiny urls

        1. MrT

          Finally...

          ... a reason to use Aurasma.

          And it also answers the security issue because most of the time their links don't and active content isn't.

        2. Harry
          Thumb Up

          Re: Firstly I can read a URL but I can't read a QR code.

          When I scan a QR code, the app that reads it pops up "Do you wish to visit www.whatever.co.uk" and gives me the choice to go there or not.

          So, I can effectively read a QR code just as well as I can read a URL.

    2. akicif
      Holmes

      Re: Devil's Advocate

      The profession already exists: tester

      It's very foolish to let New Stuff into the wild without at least some degree of checking on potentially dodgy applications....

    3. Phil O'Sophical Silver badge
      Coat

      Re: professional naysayer.

      Woe, Woe and Thrice Woe. Citizens of the web, repent your ways...

    4. Trevor_Pott Gold badge

      We need a new profession: professional naysayer.

      Feck off, that's my job. I don't need the competition, mate.

    5. J. R. Hartley
      Thumb Down

      QR codes...

      ...Are shite.

  2. Ole Juul

    Rickrolling

    Been around for a while.

    1. Silverburn
      Thumb Up

      Re: Rickrolling

      Indeed. I thought of this the moment i first saw one.

      1. Simon Harris
    2. Richard Wharram
      Unhappy

      Re: Rickrolling

      Rickrolling was one of my later thoughts to be honest.

      My first was LemonParty, then BlueWaffle. Then a classic Goatse or even 2G1C.

      Thinking of Rickrolling was a kind of relief after that.

      1. Anonymous Coward
        Anonymous Coward

        Goatse been done.

        By friends of mine earlier this year in my local area. For the lulz, of course.

    3. Anonymous Coward
      Anonymous Coward

      Re: Rickrolling

      We're no strangers to love

      You know the rules ... and so do I

      A full commitment's what I'm ... thinkin' of

      You wouldn't get this from any other guy

      I just wanna tell you how I'm feeling

      Gotta make you ... understand

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      We've known each other ... for so long

      Your heart's been aching, but ... you're too shy to say it

      Inside we both know what's been ... goin' on

      We know the game and we're ... gonna play it

      And if you ask me how I'm feeling

      Don't tell me you're to ... blind to see

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Oooooooooh ... give you up

      Oooooooooh ... give you up

      Never gonna give never gonna give

      Give you up

      Never gonna give never gonna give

      Give you up

      We've known each other ... for so long

      Your heart's been aching, but ... you're too shy to say it

      Inside we both know what's been ... goin' on

      We know the game and we're ... gonna play it

      I just wanna tell you how I'm feeling

      Gotta make you ... understand

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

      Never gonna give you up

      Never gonna let you down

      Never gonna run around and desert you

      Never gonna make you cry

      Never gonna say goodbye

      Never gonna tell a lie and hurt you

  3. Disintegrationnotallowed

    Coincidentally...

    Symantec have launched one:

    https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=v64690996_EndUserProfile_en_us&product=home&pvid=f-home&version=1&lg=en&ct=us

  4. JDX Gold badge

    Quite a neat idea, well done crims.

    1. David Hicks
      Meh

      Meh, I wouldn't grant them a patent on the technique, some of us cam up with that idea as soon as we heard about QR codes.

      And I've still *never* seen anyone use one.

      1. Wensleydale Cheese
        1. dssf

          Re: Does anyone use them?

          "Sian John, UK security strategist at Symantec, said: “There has been an explosion in the number of QR codes over the last couple of years,..."

          Explosion where? I first saw QR codes in Dec 2004, in Tokyo, and probably as early as May of that year in Japanese magazines at Kinokuniya book stores in the SF area. But, i only positively recall seeing them upon arriving in JP that year. Back then, and in 2005, using a phone camera in USA stores elicited scorn or threats of ejection. In Japan, consumers were EXPECTED to comparison shop, outright encouraged to do so. Empowering and informing the consumer. The less hip, less informed of USA merchants feared it, and took years to widespread adopt QR codes. Even shipping, airliner, and courier companies jumped on it sooner than retailers, if i recall correctly.

          1. dssf

            Re: Does anyone use them?

            Ah, another down-thumb, on something that the downthumber cannot justify down-thumbing.

            Shit, I think I will go have a drink.

            Thanks, a LOT!

      2. Psyx
        Pint

        "And I've still *never* seen anyone use one."

        Based on the number of "You BASTARD!" comments and texts I've had in the wake as using a Rickrolling QR code as an avatar to trick the curious, I think you may be incorrect!

      3. Volker Hett

        I just used one with the google authenticator app. Barcode in the browser on the desktop computer and barcode reader on the phone for two phase authentication.

    2. Anonymous Coward
      Unhappy

      @ JDX

      Not "well done", but certainly ingenious.

      1. Oninoshiko

        @Marketing Hack

        It's kinda like a steak, "well done" is most assuredly not well done.

    3. Anonymous Coward
      Anonymous Coward

      The pron industry and crims, the two biggest drivers of web technologies.

  5. Neil Barnes Silver badge
    Boffin

    Same old, same old...

    Can't see where you're going? Can see but don't know where it is? Then don't go there... it's not rocket science!

    I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

    1. pabc

      Re: Same old, same old...

      we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

      There are some other uses - like embeded vcards on the back of you buisness cards to allow quick digitisation of the contacts details.

      1. Parax
        Thumb Up

        Re: Same old, same old...

        Yup we have a staff wifi access point QR code too, only seems to allow connect on Android though, iphone reads it but does not allow you to connect.

        We also have a QR code on our corporate headed paper, it contains a business card with our phone numbers Address, website and email. just scan and save our business to your phones address book. or just scan to call/email etc.

      2. Steve Knox
        Thumb Up

        Re: Same old, same old...

        we use a QR code to allow quick access to our company wifi - scan the code on your device and voila - connected.

        So all a hacker needs is some stickers and a wifi bridge or two, and voila - man-in-the-middle!

        1. sabroni Silver badge

          Re: So all a hacker needs is some stickers

          And access to the building! If the baddies are inside then dodgy QR codes may well be the least of your worries...

          1. This post has been deleted by its author

    2. Paul Shirley

      Re: Same old, same old...

      It's also a very convenient way to point smartphone users at app (or other) downloads from a PC browser.

      The QR reader I use shows the decoded data and waits for the user to choose what to do with it. In theory safer than a traditional hyperlink because you always see the unobfuscated content before accepting it, something you actively need to check with a hyperlink.

      You still need some way of assessing the trustworthiness of the exposed link but that's true for any link. Seeing a sticker slapped on a poster is a pretty big clue not to trust it though.

    3. Mike Flugennock

      Re: Same old, same old...

      I don't know of an example where the presence of a QR code is anything more than advertising, so it's worth avoiding on general principles anyway.

      Y'know, I'd never really thought of that. There may be other uses for them, for sure, but most of the time, in all my comings and goings, the vast majority of QR codes I see have been in the context of advertising.

  6. Matt_payne666

    to be honest, im surprised its taken this long to become an issue... the number of these things ive seen spring up, with no accompanying text is quite alarming and I live out in the sticks!

    even ive been tempted to make my own QR labels - nothing evil, just pointing to an educational site saying - 'you were lucky this time' and see how much traffic I can generate!

    1. Andrew Moore

      I did it a couple of years ago when QR codes first appeared. My QR code just redirected to a website that had the message "stop buying useless crap"

      1. JDX Gold badge

        What a witty and interesting person you must be.

        1. pepper

          I thaught that hello.jpg would be a better target. Alas, I should have acted on that impulse.

          Would still be fun to slap in the bathroom of random pubs though, especially near the sink.

          1. Mayhem

            The library one

            I liked the university library one linked here last time we discussed these.

            When scanned, it said "Please turn off your mobile phone"

            I know of two other libraries which now have the same design in strategic locations.

            1. Oninoshiko
              Thumb Down

              Re: The library one

              Why would I turn off my phone in the library?

              I would think putting it on "silent" (which is what I do) would be fine.

  7. Anonymous Coward
    FAIL

    Symantec and The Reg on the ball as usual

    "Posted by Katleen Richardson on Thu, Feb 02, 2012 @ 01:18 PM"

    http://www.marketing-advantedge.com/blog/bid/122193/Beware-of-fake-QR-codes

    1. Robert Carnegie Silver badge

      Re: Symantec and The Reg on the ball as usual

      Recently I tried to find the original date of a TV show that quoted a report of incautious young people using nutmeg as an hallucinogen. (It actually is, apparently, but it's less fun than some other ones - but you can buy it in supermarkets.)

      But I couldn't tell when - because it's a story that keeps coming up again and again.

      1. sabroni Silver badge

        Re: using nutmeg as an hallucinogen.

        I wouldn't recommend that, I believe hallucinogenic doses of nutmeg can also be harmful, even occasionally fatal. Tripping while suffering from palpitations, convulsions and nausea is probably not much fun. There are much less risky hallucinogens around if you must partake.

        1. Destroy All Monsters Silver badge
          Devil

          Re: using nutmeg as an hallucinogen.

          There was an article in NewScientist back in the 90's about bad tripping on nutmeg.

          und.. und..... MUSKATNUSS! MUSKATNUSS HERR MÜLLER!! HABEN SIE VERSTANDEN, HERR MÜLLER?

  8. jb99

    Is it a problem though?

    I see lots of QR codes on advertising but I don't think I've once seen anyone scan one, and I don't suppose I ever would.

  9. TeeCee Gold badge
    Meh

    Fruit altitude.

    Well, if you have your device configured to fire the action associated with a QR code immediately, rather then presenting you with what it's about to do or where it's about to go and asking for your confirmation, congratulations! You are low-hanging fruit.

    The only surprise here is that its taken the scrotes this long to spot the obvious boot-filling opportunity for presenting obfuscated URLs to mugs.

    I'm still waiting for the howls of anguish when some mob compromises one of the URL-shortening services though......

  10. Anonymous Coward
    Meh

    Url warning

    I never used QR codes myself (no need), and maybe this is implemented already but, none of the QR readers out there display a message about the url the user is going to visit?

    1. Avatar of They
      Thumb Up

      Re: Url warning

      Mine (free off android) pops up something like "The URL is http:\\blahblah are you sure you want to?"

      I guess some people are idiots and don't deserve the right to have a smart phone.

      1. JDX Gold badge

        Re: Url warning

        I think mine (built into search on WindowsPhone) shows the URL floating about too.

        And pur-leeeze. Nobody has the 'right' to a smartphone you arrogant pin-head. Since 90%+ of IT is used by "idiots" I think you should be careful what you wish for, lest you find yourself out of a job.

      2. Anonymous Coward
        Anonymous Coward

        Re: Url warning

        "don't deserve the right to have a smart phone."

        Suggest you look up the definition of a "right". Ownership of mobile phones isn't generally in there...

  11. Steady Eddy

    Er duh...

    This occurred to me years ago.

    What kind of idiot uses these things anyway?

    1. Anonymous Coward
      Anonymous Coward

      What kind of idiot uses these things anyway?

      Marketing types. Last week I had to visit a printer for some business cards and posters and they tried to sell me their design services, and a key selling point was QR codes on both. I admit the idea looks nice -- people could just click the QR instead of visiting the URL, but I declined.

      1. Anonymous Coward
        Anonymous Coward

        Re: What kind of idiot uses these things anyway?

        - Go online to one of the free QR code generators.

        - Type in your URL, get a GIF/PNG back.

        - Put it into your business card design as a custom image.

        Don't quite see why that would need custom design services, even if you *did* want to use one on your cards. I wanted to put one in a game I was writing (so people might be tempted to scan it and visit the website for the game, and I was thinking some kind of competition / achievement-related thing might be viable too), and it was actually easier to bundle a QR-generating library that did it on-the-fly than a static image.

        (P.S. Business cards? Really? People still use them? My boss bought me 1000 and does every year or so or when a detail changes. I think I have literally given out one, because he was in the same room at the time with a vendor and a business-card swap took place. Strange, because my boss had arranged the meeting with the vendor - and knew the guy by name - and you could call the same place I worked at and get through to me by, well, asking for me by name or even job title. What purpose does a business card serve nowadays precisely, except to clutter the pockets of those people who you're SO important too, that they can't be bothered to remember your company, name or job title?)

        1. JDX Gold badge

          Re: What kind of idiot uses these things anyway?

          Every real businessman I ever met had business cards. Do you think every meeting they have, they whip out their phone and enter you as a new contact or something?

          As with many things, the digital equivalent isn't always the best. In the real world, a boss might collect business cards and then get his PA to enter them electronically since he doesn't have time.

          1. Richard 12 Silver badge
            Facepalm

            Re: What kind of idiot uses these things anyway?

            I stick mine to the products I've commissioned when on a call, and hand them to customers when I've given them training.

            Gives the customer a phone number (and website address) reminder when they get stuck. Seems pretty useful given the general complete and total failure of people to look on our website for phone numbers. Or look at our website at all, in many cases.

            - Of course, my mobile number is not on the card, just the main office number.

  12. Fred Flintstone Gold badge

    But is it really a problem?

    Come on, quick show of hands, who has used this feature more than once a year?

    I genuinely want to know - I myself have used it maybe twice for the novelty value, and if I'm interested in a product I am more likely to use a laptop (this could change when I finally convince myself to buy a tablet of sorts). However, I really have no idea if someone else uses it. I know marketing types get all enthusiastic when you talk about it, but frankly, I have yet to use a QR code in anger.

    Opinions?

    1. Anonymous Coward
      Windows

      @Fred

      I did.

      Guess I should also mention that I also got my smartphone this year ;-)

      Even so; never on an ad. One time on a product in the super market, and a few times on a Windows Phone website to quickly navigate to an applications download page (initiate the download in your browser (while logged on), and find the results on your phone, pretty neat IMO).

      However, I got my phone around March, this only lasted until... No longer than August. I didn't scan any QR code since then.

    2. Phil O'Sophical Silver badge
      Stop

      Re: But is it really a problem?

      I used my phone QR code reader, but only to check that the QR code on our tradeshow booth pointed where it should (it did). I didn't actually follow the link, just looked at it and declined the "browse to address?" request from my phone. Do other phones just jump straight there? That's daft...

      1. Lee Dowling Silver badge

        Re: But is it really a problem?

        I have used QR codes to transfer contacts between phones. The free QR code reader app for Android that, yes, I played with for two seconds before getting bored, also allows you to "send to" a QR code which it will display on the screen.

        It's a nice way to send contacts and other data (I once sent 32 laptop's Truecrypt passwords that I had stored as memos on the phone via QR code to my laptop running a similar app that I could then put somewhere useful) without opening up your device to networks, turning on Bluetooth (I generally have it off, hidden AND not accepting requests by default anyway), etc.

        Apart from that? Never.

    3. HappyBlue

      Re: But is it really a problem?

      As with most things on El Reg, the people that read and comment are IT savvy and very aware of malware and scams and so won't use QR codes or the like without checking first. We are not the target for these attacks as we are likely to be a bit more careful.

      Apart from just playing around in the last 10 minutes to test the Norton app mentioned above, I haven't used QR codes and I don't see that I would, but your average teenager (terrible stereotyping, I know) will see an advert showing the latest fashion items with a QR code to get more details and will be pointing their phone at it in seconds. Seeing a sticker QR code will just mean it's updated, right? It can't be anything bad, right?

      The real problem is that people of that ilk will just click "OK" to any warnings or "are you sure" messages because they are just annoying and don't serve any purpose, right?

      This is another case where education is what can stop the problem. Educate people that they need to check the link and that it's going to the right site, not a random site with no connection to the actual advert, and there is no issue. As with all things, the problem is carbon based, not technology based!

  13. Destroy All Monsters Silver badge
    Black Helicopters

    Snowcrashing!

    As as you brain doesn't explode when you look at the sticker's white noise, I can live with this.

  14. This post has been deleted by its author

  15. HAL4000
    Facepalm

    Who'd have thunked it?

    letters

  16. ContentsMayVary

    Bus stops in Edinburgh have QR codes (there's an android and ipad app to give you the arrival times for the next few buses at a bus stop). The QR code takes you to the bus times app.

    Anyway, I think it's a good example of a QR code which is NOT used for advertising.

    1. Magnus Ramage

      Similarly, some stations on the West Coast mainline (with Virgin Trains for the time being) have posters up with QR codes for mini-timetables relating to that particular station. I've seen it at Coventry, but I'm sure it happens elsewhere. Again, corporate but not advertising.

      1. This Side Up

        Ditto First Great Western, but for download versions of their pocket timetables. I've put some of their QR codes on a web site for the benefit of local passengers. The only problem is I don't know if they point to the old timetables or the new ones as I haven't got a smartphone. The poster on their web site hasn't been updated. I need an OSX/RISC OS/Linux program to decode them.

    2. Anonymous Coward
      Anonymous Coward

      Or they could just put up a bus timetable.

      1. JDX Gold badge

        >>Or they could just put up a bus timetable.

        Which is really confusing when it tries to cram all that data onto one sheet of A4 which then gets defaced by youths or goes out of date.

    3. jonathanb Silver badge

      When I was last in Edinburgh, I installed the bus app before going out, then when I was at the bus stop, I found it quicker to type in the numerical code than try and focus on the qr code and get the phone to recognise it.

    4. Simon Harris
      Meh

      (there's an android and ipad app to give you the arrival times for the next few buses at a bus stop)

      But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

      1. TRT Silver badge
        FAIL

        Yeah, I've tried to use some QR codes for parcel tracking... they printed it too small for my iDevice to get it in focus. FAIL. Mind you, if they had have printed it large enough for my device, it would have been about the size of the box itself.

      2. Fred Flintstone Gold badge

        But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

        Sshh - those are beta test randomisers for the lottery..

      3. Mike Flugennock

        Next Bus/Train?

        (there's an android and ipad app to give you the arrival times for the next few buses at a bus stop)

        But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

        My wife owns an iPhone (I don't) and one of the few apps she has is something she got from the Metro Transit Authority here in DC, the "Next Bus" App, which claims to tell you when the next bus will be arriving based on which stop you tell it you're at (of course). She claims it's quite accurate, at least to within a couple of minutes. I suspect that the countdown displays on your bus stops over there use the same kind of GPS/timetable data that the DC MTA "Next Bus" App uses.

        In the DC Metro, we have similar electronic displays on the platforms giving time-to-arrival countdowns for the next three trains. I haven't bothered to time them down to the second, but they're accurate enough.

      4. ContentsMayVary

        >>But do these apps come up with times that are less fictional than the 'countdown' displays on London bus stops?

        The Edinburgh ones are amazingly accurate. Sometimes the buses get delayed in traffic, of course, but normally the times are accurate to within a couple of minutes.

  17. Winkypop Silver badge
    Alert

    QR codes

    Quite Rarely?

    If it looks like an ad, it's probably an ad.

  18. El Presidente
    Facepalm

    Anyone who uses a QR code (From Tuesday 13th March 2012)

    Thought of this donkeys years ago.

    When QR codes were first popularised I .. erm .. someone I met in the pub theorised that a few well placed QR code stickers on a bus stop or shop windows, ideally within view of the pub, would be a very easy method to subvert someone's curiosity and get them to visit a website like tub girl or goatse. We could then laugh at the expressions on their face as they saw the horror. For a laugh, like.

    Malware is the obvious extension to this idea.

  19. Mark Allread

    But no-one scans them, ever.

    http://picturesofpeoplescanningqrcodes.tumblr.com/

    A solution looking for a problem.

  20. Khaptain Silver badge

    BYOD Nightmare

    See title

  21. yoinkster

    "I scanned a QR code on an advertising poster and it was really useful"

    -- No-one ever.

  22. You Are Not Free
    Alert

    As with most things

    To get convenience you sacrifice self-responsibility and security, you do so at your own risk.

  23. Bert 1

    Useful in museums:

    http://www.themobilists.com/2011/08/30/qr-codes-in-museums/

  24. jnewco81
    Holmes

    A cunning plan indeed, but WHO USES QR CODES?!

    1. sisk

      Actually I have on occasion. About the only times I've ever scanned a QR code is on movie posters when I wanted to see a trailer.

      Two reasons I don't worry about this 'exploit' though. First, I make sure the QR code I'm scanning isn't on a sticker stuck over the real one. Second, my app gives me a chance to confirm that I really want to go to X URL before it does, so if the URL looks suspicious I just hit cancel.

  25. Anonymous Coward
    Anonymous Coward

    FUD

    Sure it's possible, but I'm having real difficulty believing it is actually happening. Just more AV vendor fear mongering...

  26. Parax
    Alert

    Really?

    How is this a problem? Which barcode scanners AUTOMATICALLY take you to the destination? the one I use DOESN'T, This is deliberate choice on my part, It will show me the data and then ask me what I want to do. This really isn't much of a problem.. If I don't like the url I won't open it, same as anywhere else. Do you click url's sent to you by text message? I don't. how about urls in random tweets.. nope.. same with QR codes, scan look and decide.

  27. The FunkeyGibbon
    Meh

    QR Codes kinda rubbish, but I like this one

    http://images2.wikia.nocookie.net/__cb20120918114431/borderlands/images/6/6c/Borderlands2-moxxipizzabox.jpg

  28. Anonymous Coward
    Anonymous Coward

    Same with NFC tags, similar things can be done with that.

    But ultimately if you mobile device can be damaged or you can lose data by visiting a URL or scanning an NFC tag then this is a design/security flaw in the device itself.

    Android phones for example have taken the example of Microsoft Windows which Microsoft used to cram full of features and cool functionality like ActiveX. But a huge feature count can ultimately be a security hole without a proper security model.

  29. Anonymous Coward
    Anonymous Coward

    I'd have gone for a link to a some webpage that would earn cash for clicks and then take the person on to the real site.

    Bit like some sort of premium rate phonecall scam

    Less chance of being found out, means more earnings in the long run.

  30. jowlymonster

    Hmm

    - Create webpage with links about Latest Big Thing (I dunno, that vampire flick or some crap)

    - Put in lots of adSense too

    - Create QR code stickers leading to site

    - Stick on Posters in Bus stops and stuff

    - insert redundant ?????

    - Profit!

  31. Anonymous Coward
    Anonymous Coward

    I did this a couple of years ago as a leaving prank at a university. A couple of people knew it was me but just sat back with the popcorn watching the management try and figure it out. As I understand, they also printed some "special" posters with altered codes and deliberately mixed them up with some of the correct posters. Essentially giving a time bomb to the poster team, and removing all blame from me.

  32. Anonymous Coward
    Anonymous Coward

    Do you follow every random URL you encounter?

    This is no different than following every random URL (e.g. http://littlelamb.example.org) you see on the http://street.example.com, If http://you.follow.example.uk every http://url.example.hk you are http://going.to.have.a.bad.time.example.local.

    It's just a bit easier.

    1. John H Woods Silver badge

      Re: Do you follow every random URL you encounter?

      But I agree with Lee Dowling - you SHOULD be able to follow any URL without compromising your device. The fact that you can't is simply due to the fact that a lot of browser security sucks.

  33. sisk

    Old news

    Scammers have been slapping stickers over QR codes since about the time that QR codes started showing up everywhere. Nothing new here. In fact, I think I recall an article on the subject right here on El Reg a couple years back.

  34. Anonymous Coward
    Anonymous Coward

    QR codes are so 2011

    However, anyone who still thinks they're cool is a prime victim.....

  35. Azzy

    How did it take the crooks this long?

    One of the first things that came to my mind when I saw QR codes on posters was that someone could put bogus QR stickers over the real ones.

    The factory-reset USSD code, when that exploit worked on Samsung's top-line phones, would have been a great choice for that. Except I like Samsung; If there was a nasty exploit like that that worked on iPhones, i'd be tempted to do it (since I don't have any malware or phishing scams to promote)

    1. Cpt Blue Bear

      Re: How did it take the crooks this long?

      It didn't - it took Symantec this long. Or at least this long for a sufficiently dull month in security land for them to sink to this nonsnse.

  36. MrT

    Stop users following dodgy links...

    ... stick a Microsoft Tag over the QR code instead.

    In typical "always bet on a winner" fashion, I decided to put Tags on newsletter articles and the like about three years ago. Now look where they are...

    Always bet the opposite to me and you'll do alright.

  37. SA Barcodes

    Wise advice!

    Unfortunately there will always be scammers out there ready to pounce. Thanks for the article - we will definitely pass the word along.

This topic is closed for new posts.

Other stories you might like