Thursday, 12 January 2012

Stupid QR code scam

Websense has released details of spammers using QR codes in what appears to be one of the least imaginative and, quite possibly, most ineffective scams I've seen in a long time.

The Register picked up on the story a couple of days later, yesterday.

QR threat or PR effort?

Why is this a stupid scam? Because no one is going to fall for it. It is only interesting to the media because it uses QR codes, which have the potential for causing havoc.

But this is not a case of havoc-making but rather publicity-making.

QR codes are potentially dangerous for two main reasons:

  1. They can direct unwary users to sites they don't want to visit.
  2. They open a route for an attacker to compromise the system running the QR code scanner.
As we will see, Option 1 is relevant to this story. Option 2 is not.

Option 1 works along the same lines as TinyURL and the many other URL-shortening (and obscuring) services that are available. They are very useful but ultimately provide a way for someone to access a URL without really knowing where they will end up until the site is loaded into their browser.

Obscuring URLs

When you use a URL-shortening service like TinyURL or goo.gl you take one URL and turn it into another, much shorter one. Thus, you can convert
into

This is ideal for using in Twitter posts, where the number of characters allowed in each message is very limited.

However, the URL http://goo.gl/DKRoa gives no clue as to where you will end up. The longer http://simonedwards.blogspot.com URL will indicate to any potential visitor that they about to visit a blog written by someone called Simon Edwards.

QR codes are similar, although they are primarily designed for mobile devices. Rather than typing in http://simonedwards.blogspot.com using a barely usable virtual keyboard, phone users can scan in an image such as the one used at the top of this article.

This will take them to a site, but which one? Until you scan it in you don't know. The one above links to this blog. Or does it? Try it, if you trust me...

Why is this scam useless?

The QR code sits next to
the destination URL
A QR code scam only works if people don't know what site they are going to visit. In the case discussed by Websense the actual URL appears next to the QR code.

So there is no scam here beyond publishing a URL to a pharmaceutical site, in clear text, within a spam email message.

The article from Websense is disappointing because there are plenty of significant scams around, and there is plenty of potential for the bad guys to abuse QR codes. It would be better to concentrate on those rather than to attempt name-checks in the media for what amounts to a non-issue.