QR Code Scams

There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster.

This brings up another question: does anyone actually use these things?

Posted on December 13, 2012 at 6:19 AM • 48 Comments

Comments

Species5618December 13, 2012 6:37 AM

i have a QR code Tattoo, but since having it, i have spotted hundreds or QR codes in the WILD.

DVDs with links to movie trailers
CEX with links to the mobile site
Schools on anti bullying posters
Schools on anti bullying posters

My pet hate is QR codes which take yoiu to a web site which is NOT mobile friendly


FlohEinsteinDecember 13, 2012 6:51 AM

We have a local music band which used to advertise themselves by putting QR-codes without any further informations at public places like railway stations. If you scanned them you'd get the URL to the Youtube clip. Will be more careful in the future what I scan :-)

Matthias UrlichsDecember 13, 2012 6:54 AM

IMHO it's safe to say that if people didn't use these codes, the crooks wouldn't spend their crooking time posting or distributing these labels or flyers or whatever.

Anyway, I do tend to scan random QR codes. But my QR reader displays the URL before calling the browser.

Rick LobrechtDecember 13, 2012 7:03 AM

@Matthias
Displaying the URL isn't necessarily useful, because it seems that many QR codes are actually pointing to a URL shortening service address (such as goo.gl or bit.ly).

I can probably count on 1 hand the number of QR codes I've scanned. And like @Species5618, I'm frustrated when they point to a non-mobile site. The last one I scanned was at a restaurant for some contest, and the site linked was brutal on my phone.

DavidDecember 13, 2012 7:07 AM

I was wondering about whether people would follow anonymous QR codes today when I saw a sticker on a traffic light pole.

I figured the fact that I even noticed it and thought about it was a good indicator that others would go further and follow the link.

KenDecember 13, 2012 7:07 AM

"...does anyone actually use these things?"

Unfortunately yes, most everyone in my office who is under 30 does. And I work in an IT shop.

JonathanDecember 13, 2012 7:30 AM

I use QR codes because of the novelty. They're currently my favorite way to Rickroll my friends. (Physically I'm in my 30's, but mentally I'm about 12 years old.)

Clive RobinsonDecember 13, 2012 7:38 AM

QR Codes are "so old school" even Granies use them to get discounts.

They basicaly do what they are supposed to do which is provide machine readable data that makes peoples lives (supposadly) easier by having a "point-n-click" interface.

And because they are a blind (to the user) communications channel you could put almost anything you like in them. And that's why fraudsters etc like them, because they take the user out of their fraud loop...

And ass QR Codes are now old school, there must be something more modern and their is...

NFC-Tags...

Yup you can buy Near Field Communications tags which are just like programable RFIDs, you can put various bits of info in them including URL's and your name address, email phone number etc.

So I guess in a year or three we will see "NFC-Tag Scams" as the crooks ride the "New-Tec Wave" that the likes of "Apple Fan Bois" and other self appointed "fashonista's" think is so de jur to their life styles (Oh you are alowed to say "Hip-n-Trendy" again because it's now "So retro"...)

Seeing such persons in various parts of london with their D&C watches glasses etc reminds me ofton of the oold saying,

A Fool and their money are soon parted.

The moral is if you practice any "unsafe activity" it's likely to turn around and bite you at some point and thus effect one or more forms of your Health...

DaleDecember 13, 2012 7:43 AM

I have one on the back of my business card. It contains my contact details, for those who want an easy way to capture it. Was thinking of creating a separate card with this info, plus a link to my resume, for prospective employers.

NebulusDecember 13, 2012 8:55 AM

I didn't find any use for QR codes yet, but that is just me. I suppose that if the advertisers are using them on their outdoor ads, they might be used/scanned by some, but I can't imagine why someone would scan and follow the embedded link for a QR placed on some wall or pole...

Ron HelwigDecember 13, 2012 9:34 AM

I put a QR code on the back of my Shire Silver cards that goes to a page on my website that gives the suggested dollar trade value of the card.

WooDecember 13, 2012 9:34 AM

I don't recall any poster or advertisement where there wasn't the full URL printed right next to the QR code.. and at least considering my mobile phone, it's easier to tap on the browser icon and enter the URL than it is to flip through several pages of icons to where I have the QR scanner, scan the code, inspect the URL and click to launch it in the browser.
Now if companies would see to get simple and short URLs, QR could go die out.

Adam Stovicek December 13, 2012 9:48 AM

I've avoided QR codes like the plague for this very reason. I know how to use search engines to find the info I need and I don't ever find myself in the immediate need to know about a product or event to resort to utilizing one.

Clive RobinsonDecember 13, 2012 10:52 AM

@ Nebulus,

... but I can't imagine why someone would scan and follow the embedded link for a QR placed on some wall or pole.

Well I can give you one example "illegal" raves/parties.

As others have indicated the URLs they contain don't have to go directly to a website.

If you are running an illegal entertainment some place you have to get the punters you want not the police.

For a while people used the likes of the online private messaging service on RIM phones but the police worked a way around that. And for a while QR codes with links just got put on a wall or pole somewhere telling people where to go next like a "treasure chase" game.

Glenn FleishmanDecember 13, 2012 11:20 AM

In Japan, yes, because (as I understand it) the phones have been equipment since the early 2000s with a very simple way to scan.

Everywhere else, no, because you have to launch an app to do it.

Imagine if Apple and Google built QR Code recognition as an option into lock-screen picture taking. Codes, like faces, would be recognized and one could tap to see the URL and then agree to open the browser to it.

David MeeseDecember 13, 2012 11:25 AM

I've been aware of this threat for a while, so have always been cautious whenever I scan a QR code. They are hugely popular in Japan, and museums have started using them here in the US.

A risk is that some scanner apps will automatically open a web address in a QR code. The zebra xing barcode scanner for Android shows you the URL and asks you if you want to connect. The idea is that you can make a decision based on the URL. Unfortunately, url shorteners limit the value here.

The bottom line is that QR codes are a neat concept and have value as a machine readable image, but you should be cautious. This is just another thing to consider part of the growing set of 'street smarts for the 21st century'

SecureDecember 13, 2012 12:15 PM

They are sometimes used for Geocaching, to give informations for the next waypoint. And there is a "point hunting" game based on them: munzee.com

MarkDecember 13, 2012 12:19 PM

I use them on my card and, as a quick way of sending links to my phone. I don't scan ad codes much, not unless I trust the source. Also like David said, Zebra Xing's scanner shows you the url. Shortened urls are usually easy to spot, they don't look like they are encoding as much data, I scan those very rarely.

TenorDecember 13, 2012 12:49 PM

I am developing for a QR code app. It is nice for getting subsidies and to sell old technology with a novelty varnish. I wouldn't use the products that are based on it myself.

It would be nice for specific URLs (like feedback for a specific café but mostly it leads to generic URLs where you have to navigate yourself to the specific café (and sometimes even to non-mobile sites - "but it looked nice on my iPhone", original designer quote). Not so nice.

Well, there is one specific case where I used them and where it was handy: Extra historical information for a city tour (same in museums). At the attractions there were QR codes that lead to sites describing the building and history, in different languages. When you do this quite often in a row entering the full URL all the time would get annoying, it definitely lead to using this service. A specific geocoded app or other technology like NFC would work to, obviously, but this is cheaper, more generic, and easier to setup.

stvsDecember 13, 2012 1:04 PM

 ▄▄▄▄▄▄▄ ▄▄  ▄ ▄▄▄▄▄▄▄ 
 █ ▄▄▄ █ ▄▀▄ █ █ ▄▄▄ █ 
 █ ███ █ █▄▄▀  █ ███ █ 
 █▄▄▄▄▄█ ▄ ▄ ▄ █▄▄▄▄▄█ 
 ▄▄▄▄  ▄ ▄▀█  ▄  ▄▄▄ ▄ 
 ▄ █ ▄ ▄▀▀▄  █▄▄█▄▀▄▄█ 
 █▀ ▀▄ ▄█▀▄█▄▀█  ▄ ▄██ 
 ▄▄▄▄▄▄▄ ▀█▄  █▄▀▄ █ ▀ 
 █ ▄▄▄ █   ▀█▀▀█  █  █ 
 █ ███ █ ██ ▄ █  █▄▄▀  
 █▄▄▄▄▄█ █▀▄██ ▀▄▀█  ▀ 

chrislDecember 13, 2012 4:49 PM

I'm using them as a way to sell ebooks in bookstores and other physical locations. There's a card or even paper copy of the book in the store with a QR code that identifies the item and the store. If someone buys online (the ebooks are downloaded, and there are samples online, too) after scanning the QR code the physical store gets a substantial cut of what the customer paid, and a similar cut from future online sales to that person. It's a way to get visibility through the enormous volume of ebooks published.

murrayDecember 13, 2012 7:52 PM

@Jo

Taking the Turkish football fans' QR code banner one step further...
No banner required.
Each person in the crowd has a large plain black or white card. Stand in the correct layout and on the agreed signal, hold up your card. (Not original, it's been done before with images). Maybe just white cards (or sheets) are required?

ChrisDecember 13, 2012 10:39 PM

For Android and iPhone, Symantec has Norton Snap, which shows the URL, the Norton site rating, and a link to the Norton site report before you manually approve opening the link.

D0RDecember 14, 2012 7:17 AM

The police in Geneva, Switzerland has started putting them on their cars as a way to recruit new officers. I wonder whether they're effective.

I never used QR codes -- I like to know where I go.

PaeniteoDecember 14, 2012 9:41 AM

@D0R: "I never used QR codes -- I like to know where I go."

Do you realy think you can tell if a URL leads to a "good" or "bad" site from merely looking at it?
Plus, many QR apps show the URL before they open it (maybe not on iOS, though).


As to real world usage, I have such a code on my business card. Works much better than attempting to OCR the text on the card.

willmoreDecember 14, 2012 10:43 AM

I've been following QR code as a vector for attack for a while and, while I find these attacks interesting, I am really waiting for a researcher to find an exploit in the decoding engine itself. Could a maliciously formed QR symbol exploit an weakness (bounds checking, invalid field value, etc.) in the decoder to compromise the scanning application?

If you're using a 'clean' code generator to make the symbols you use for testing your decoder, you're missing a large range of test cases. Surely, noise and other distortions in sampled codes will test some of this problem space, but does it go far enough?

caseyDecember 14, 2012 10:51 AM

Barcode Scanner on Android lets you see what you've scanned before opening a browser. I usually scan QR codes I've generated (with DuckDuckGo's !qr command, for example) to send the link to my phone.

I've considered augmenting PGP key exchange with QR codes. One phone displays the QR of the owner's public key fingerprint, the other scans & looks it up. Compare real-life face against the signed photo in the keyring for verification.

BrandonDecember 14, 2012 1:58 PM

I've used them many times, from both sides (as a business putting the code out there, and as a person out there scanning such codes).

Call me silly, but I think the sheer fact that you are seeing the codes pop up so much, and that business haven't stopped using them, is proof they're being used.

John GDecember 14, 2012 9:04 PM

This is a story about a Korean advertisement that won a number of prizes at the Cannes advertising festival: http://www.youtube.com/watch?v=EvIJfUySmY0 The store apparently built a large set of blocks that worked as a scannable QR code - between noon and 1 p.m. when the shadows hit it right. The QR code took the viewer to a site with time-sensitive specials. This attracted more people to the store over lunch, when it had apparently been very slow.

Name WithheldDecember 16, 2012 3:35 AM

I can attest that this is a concern at least among the sort of people who attend security conferences. The company I work for released a security testing tool at a security conference this year. Marketing designed a postcard that consisted only of the company's name, the name of the tool, and a QR code. The developers of the tool argued unsuccessfully with marketing that people would find the card suspicious and no one in their right mind would access the website based on it. In the end they compromised: the people staffing the company's booth were allowed to tell visitors the URL of the website, but the URL would not be included on the cards. Not surprisingly, the site analytics showed that not many people visited it until after the conference was over.

On top of everything else, as Species5618 complains, the site was most definitely NOT mobile-friendly.

Stainless StihlradtDecember 17, 2012 6:08 PM

Sure, they're being used. If you put up a big red button in any public place and label it "Press this button for a big surprise!", you can bet the ranch that an *endless* number of yokels will walk up and press it, usually while Beavis-laughing with their retarded friends. It's America. What, did you think "Idiocracy" WASN'T a documentary?

KenDecember 18, 2012 8:52 AM

@Stainless Stihlradt - This sounds like the beginning of an interesting social experiment. Place two buttons side-by-side...one labeled "Press this button for a big surprise!" and the other labeled "Don't press this button!". I'm curious which button would get pressed more.

MeDecember 20, 2012 12:58 AM

I haven't had much luck with them. I have one on a display in every sears store in the US and can count on one (maybe two) hand the number of weekly hits.

Doug DDecember 20, 2012 2:34 PM

For a rarely-used system I manage (only need to use it as a part of emergency response), I have printed out business-card-sized cheat sheets reminding the users how to use the system.

I put a QR code of the URL for the system's launch page on those cards, so folks with a camera can start the process by scanning that code instead of typing in the URL. For this limited purpose, I think it works reasonably well.

(I designed the system after watching how our emergency responders handled communications previously -- long story there. But, there were too many steps, too many things to remember, too many things to get in the way during an incident. So I designed a dramatically simpler system optimized for this one purpose, and even with that simplicity, I distribute cheat sheets that folks can keep in their wallets.)

Mark GMay 8, 2014 5:45 PM

In addition to displaying the URL and asking for confirmation before opening the website, some scanner apps now automatically expand from the popular shortening services so you are more likely to be able to tell which page you are opening.

Because ZXing is open source, it is easy to find the list of redirectors that it expands:

"amzn.to", "bit.ly", "bitly.com", "fb.me", "goo.gl", "is.gd", "j.mp", "lnkd.in", "ow.ly", "R.BEETAGG.COM", "r.beetagg.com", "SCN.BY", "su.pr", "t.co", "tinyurl.com", "tr.im"

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.