QR codes, a square pattern of black dots on a white background, are a form of barcode originally developed to track automotive parts during manufacture. Their fast readability, versatility and storage capacity have made them popular in many areas, and not least within mobile phones.
The Websense ThreatSeeker Network is detecting traditional spam messages using these codes to hide the true destination of the link. The discovered examples use the legitimate 2stag.nl website to translate and redirect the user to the spam site. It is similar in concept to the use of URL shortening services such as bit.ly to disguise the URL.
“In many ways it was just a matter of time before we saw spam messages point to URLs that use embedded QR codes,” says Websense researcher Elad Sharf. “The advantage QR codes have over bit.ly is that it is a fast growing and marketing technology that currently has an inherent level of trust and novelty for consumers.”
The technique will affect both PC and smartphone users. However, the large number of free QR code apps available to phone users combined with the relative conservatism of PC users makes the threat particularly pertinent to the mobile market. Depending on the QR app being used, the mobile user will be more or less exposed. When the QR code image is tapped, “some apps automatically open the URL in the mobile phones’ web browser,” comments Sharf, “while other apps display the destination URL and request the user’s confirmation” before opening the URL in the phone’s browser.
One solution is to use one of the many systems and services that automatically check URLs before opening them for the user. Websense has its own called ACE. “ACE uses research intelligence from the Websense Threatseeker Network,” explains Sharf, “where our technologies scan and classify billions of pieces of content from websites and email messages daily.” If the QR code resolves into a sex site or malicious site “then the results of the URL can be blocked or allowed based on the user’s pre-configured policy,” he adds.