27 July 2016
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

730Posts 1,806,254Views 62Comments

QR Codes Could Deliver Malware

26 March 2012  |  2077 views  |  2

You’ve seen barcodes all your life. So you know what they look like: rectangles “boxes” comprised of a series of vertical lines. When a cashier scans a barcode, you hear a familiar beep and you are charged for that item.

A QR code looks different and offers more functionality. QR stands for “quick response.” Smartphones can download QR readers that use the phone’s built-in camera to read these codes. When the QR code reader application is open and the camera detects a QR code, the application beeps and asks you what you want to do next.

Today we see QR codes appearing in magazine advertisements and articles, on signs and billboards; anywhere a mobile marketer wants to allow information to be captured, whether in print or in public spaces, and facilitate digital interaction. Pretty much anyone can create a QR codes.

Unfortunately, that’s where the cybercriminals come in. While QR codes make it easy to connect with legitimate online properties, they also make it easy for hackers to distribute malware.

QR code infections are relatively new. A QR scam works because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to an malicious website or download an unwanted application or mobile virus.

Here’s some ways to protect yourself from falling victim to malicious QR codes:

Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.

If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.

Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.

Use complete mobile device security software, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

TagsSecurityRisk & regulation

Comments: (3)

Brett King
Brett King - Moven - New York | 26 March, 2012, 14:48

So could this link. Doesn't mean all links or URLs are evil...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 26 March, 2012, 14:54

Correct, but most people dont look at a QR code as a link. So heads up. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 27 March, 2012, 19:14

Agree with your suggestion #s 1, 2 and 4.

However, re. your suggestion #3, "Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.", since it's customary to construct QR codes out of shortened URLs, I'm not sure how one can figure out if the URL looks suspicious or not. For example, a QR code for this blog post page (http://www.finextra.com/community/fullblog.aspx?blogid=6371) could be constructed out of its shortened version http://goo.gl/szlRT, which neither looks genuine nor suspicious.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

32 Million Twitter Pass for sale Add two-factor NOW

21 July 2016  |  2520 views  |  0 comments | recomends Recommends 0 TagsSecurity

Phone Account of FTC Chief Technologist hijacked

14 July 2016  |  2298 views  |  0 comments | recomends Recommends 0 TagsSecurity

Viruses as Cyberweapons for sale

12 July 2016  |  3143 views  |  0 comments | recomends Recommends 0 TagsSecurity

TeamViewer Clients Victims of other Hack Attacks

08 July 2016  |  4303 views  |  0 comments | recomends Recommends 0 TagsSecurity

Can Two-Factor Authentication actually fail?

06 July 2016  |  2640 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Who's commenting on Robert's posts

Raul Thomas
Ketharaman Swaminathan
Lee Mughal
Balasubramaniam Gd
Dirk Kinvig