Monday, 3 October 2011

QR codes abused

In possibly one of the most predictable events of 2011, the bad guys have been discovered using QR codes to direct victims to malicious websites.

First, why was the predictable? Because QR codes are similar to URL shortening services, in as much as they offer convenience by replacing a hard-to-type string of characters with something that is simpler to handle by the user. The negative side effect in both cases is that they also obscure the details of the 'payload'. Criminals have been using URL shortening services for a while now, so it's hardly surprising that they've taken up with an equivalent system for mobile devices.

Interestingly, the fact that most PCs aren't set up to read QR codes means that the attacker can make some fairly safe assumptions. Anyone visiting the malicious website via the QR code is likely to be using a mobile device. They are most likely using IOS or Android, but if not then their phone is probably of limited interest. So the attacker can configure the malicious site to contain exploits only for Android and IOS devices.

The attacker could also set up the site to appear innocent to those who visit directly, by typing in the URL. This would filter out a few client-side honeypots for a start.

Denis Maslennikov from Kaspersky has produced a short report that demonstrates real-life examples of these types of attacks. He agrees that this was a predictable situation:
"Usage of QR codes for malware spreading was predictable. And as long as this technology is popular cybercriminals will use it."
In the examples that Denis explains, the QR codes direct the devices to JAR and APK files, rather than exploits, so currently this is an exercise in social engineering: The victim blithely scans in a code and installs the program provided. I predict that we'll see exploits before very long that will perform this installation automatically, in a drive-by download style.

If you want to play with QR codes but, like me, don't have a suitably advanced mobile device you may find the following links useful:
  • QR-Code Tag Google Chrome extension: Install this extension and then visit a website using Google Chrome. Click this program's toolbar icon to generate a QR code containing the URL. This is how I generated the QR code for this blog that you should see at the start of this article.
  • ZXing Decoder Online: Enter a URL for a QR code or upload it as an image file, and this site will decode it. Save the QR code from the top of this page and upload it, or paste its URL into the appropriate field and you should see it decode as:
    You get more information if you direct the decoder to a URL. See the output below.
  • Desktop QR Code Reader: An Adobe AIR application that lets you use your computer's webcam to capture a QR code. I have not used this.
ZXing Decoder Online output:
Raw text
Raw bytes 42 16 87 47 47 03 a2 f2 f7 36 96 d6 f6 e6 56 47 76 17 26 47 32 e6 26 c6 f6 77 37 06 f7 42 e6 36 f6 d2 f0 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 ec 11 11 ec 11 ec 11 ec 11
Barcode format QR_CODE
Parsed Result Type URI
Parsed Result