According to Teague Newman, a researcher with the Boston, Ma-based pen testing firm, even business cards are starting to have printed QR codes on them now.
The problem, he says in his latest security posting, is that there several free QR code generators on the internet that are very simple to use. You just type in the contact info or URL and hit “generate.”
Now, he adds, you have an image file of your very own QR code, which he goes on to say he has used when pen testing an organization's security, usually by adding to to an advert placed it in a public area such as employee bulletin boards.
“Clearly, when displaying the QR code with physical pamphlets or advertising, we will not encounter safeguarding measures such as anti-virus, IDS/IPS or spam filters”, he says, adding that, once an attack is successful, he can leverage the device even further by dumping the device profile, GPS location, contact information, SMS, and MMS messages using suitable software,
“One final note I should mention is that these do not have to be used only in physical attacks, as it’s still entirely possible to embed the image into an email. Once again, you can just generate a random template that includes some text such as “Scan here for the free mobile app” and then embed the image into the body of the email”, he says.
“A phone can scan a QR code on a monitor just as easily as it scans one on paper. If the image is in the email and it’s only accompanied by text (no hyperlinks), you will very likely increase your chance of bypassing the spam filter”, he adds.
“To the eyes of a security professional, a mobile device is another thing to secure and protect. To the eyes of a hacker, a mobile device is another way in.”