QR codes – those matrix barcodes that you can now find almost anywhere – are very handy for directing users to specific sites by simply scanning them with their smartphones.
But the ease with which this technology works has made it also a favorite of malware peddlers and online crooks, which have taken to including QR codes that lead to malicious sites in spam emails.
They have also begun using the same tactic in the physical world, by printing out the malicious QR codes on stickers and affixing them on prominent places in locations where there is a lot of foot traffic, The Register reports.
According to Symantec Hosted Services director Warren Sealey, these locations include airports and city centers, where the crooks stick them over genuine QR codes included in advertisements and notices, and most likely anywhere a person might look and be tempted to scan them.
For example, if you are a tourist and want to know more about a church or a building of historic importance, in Western European countries you’ll often have the option of scanning a QR code for loading the information.
To make these QR codes easy to scan, the notices that sport them are often easy to reach and, thus, easy for crooks to superimpose their own malicious QR codes on top of the legitimate ones.
I’ve personally seen random stickers with QR codes with no explanation whatsoever on public transport seats or similar places, and have often been tempted to see what they are about. Whether they were malicious or not I don’t know, but it just goes to show that innate human curiosity is a great asset for cyber crooks.
The only thing that users can do for now to protect themselves from this threat is to download and install a QR reader that checks the website’s reputation, and then offers them the option of taking them there or not. While this solution is not foolproof, it’s still much better than the alternative of blindly following where the QR code takes them.