Latest news
A single poisoned link is all it takes to expose an entire organization to a full-scale attack.Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they're going after our mobile phones, which are soon to be the number one way we access the web.
As QR codes have evolved, they now can offer users – and thieves - unlimited information within seconds of scanning.
And we scan them voluntarily.
We've already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it's embedded in looks tempting enough.
The experiment
Over a three-day security conference in London, I created a small poster featuring a big security company's logo and the sentence "Just Scan to Win an iPad." Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.
The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers. Remember, this was a conference for security professionals.
As I'm a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated.
To make a long story short: QR codes are becoming more and more prevalent. And most of us don't have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.
The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.
Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.
Think before you scan.
- Does this QR code seem to come from a reliable source?
- After scanning the QR code and seeing the link, is the link really from whom it claimed to be?
- Would I click on this link if it came through my email?
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
