Saltar al contenido

QR codes with Trojans and also phishing

android-opera-pagina-abierta

Kaspersky researcher Denis Maslennikov has come across some Malicious QR codes that download Trojans for mobile. QR codes are like bar codes but with another format that allows you to store more information, if you want to create one you can enter this page and do it with a few clicks.

QR code (includes prizes)

Since the mobiles started reading them, they can be found everywhere, they are a very practical way to share information such as web addresses, phones, maps, etc. It is normal to find them in places from which you can download games and applications, just pass the camera in front of the code for the download to start directly on the phone.

This is exactly what cyber criminals are taking advantage of, spreading APK and JAR Trojans that infect the device and then send text messages to premium numbers that allow them to earn money.

What about phishing?

When Kaspersky's note came to mind something I had to comment on, just as you can link the QR with an application, it could be used to carry out phishing attacks.

To test it I set up a Hotmail fake page, I generated a QR code and accessed from my iPhone, the result was as follows:

Fake Hotmail page loaded on iPhone

As you can see in the screenshot, the page that loaded seems to be legitimate Beyond that to joke I put SpamLoco Live. What I'm interested in highlighting is that the page url does not appear and in this way anyone could fall into the trap, entering their data without knowing that they are on a false page.

This happens because I am using a QR code reader that comes with a integrated browser And it doesn't open the pages directly in Safari, where you can see the real URL. An application to read QR codes that does open pages in Safari is i-nigma (recommended).

However, this behavior of the integrated browser is normal in many applications such as the Twitter officer, when I open links published in tweets, in addition to being short links, I also do not see the final URLs and that is quite dangerous if personal data is entered later:

The page opens but does not show the URL

This happens to me on iPhone 3 with iOS 4.2.1, in other versions it may be different (I would appreciate any comment about it).

Now let's see the same example of the false page opened by means of the QR in a Android mobile, where in this case Opera is the default browser:

Thanks Quique for the capture!

In this case the url is in view, careful users will realize that they are facing a phishing attack and will not enter their information.

But we all know that most users are not careful and if they see a login page they put their password as if nothing happened, also the URL can be camouflaged to make it confusing and look like the real one. In a good context or attack from social engineer many people could be fooled, imagine that on the street they would deliver brochures or leave a poster with a giant QR code and a message that said log in with your Live ID and participate in the draw for an Xbox, surely many read the code and enter their data without thinking too much …

Many users tend to trust these codes because they believe that they are safe or that cell phones cannot be infected, but as we can see it is very easy to use them to do bad things, so be careful!

If you want to read more about QR codes, you can find good information on Wikipedia.

Update: Using QR tags to Attack SmartPhones (Attaging) a very good read that shows just how dangerous these codes can be and a couple of attacks that can be made.