You might have noticed more and more of these graphics
popping up everywhere from your packages you receive in the mail, to the backs
of toys, games, electronics, consumables, and even on billboards and ads
throughout our societies around the world. They're everywhere and without the
proper software you can't tell what they say until they've been decoded. QR
codes are a relatively new way to encode information usually for mobile
devices, so the lazy masses can open a URL without having to type anything
(it's one of the little things we're doing for the kids so their lives aren't
as complicated as ours).
This one specifically (above) is a QR code that I created
with the website at qrcode.kaywa.com that says "This could have been a
virus." And that would be correct. It could have been a virus, a link to a
Trojan, or a link to who knows what, and in the wrong place at the wrong time,
it could cause a lot of trouble. Let's say it's to an illegal website and
you're on your network at work, and you open a webpage with one of your devices
that you have been authorized to use on the company network. It could cost you
your job. You could open a backdoor to your corporate network. If it's placed
for you specifically to open, you could give someone your physical location(stalker)
or information unknowingly. (Think forms that auto-complete and use AJAX - an acronym for Asynchronous JavaScript and XML for
processing)... by the time it opens whoops, it's too late.
The problem is, because your phone, ipad, etc, can open a
URL or a bit of code under the assumption it's something else, the codes can't
always be trusted. See the graphic itself is harmless. It's just a high
contrast collection of squares in a pattern that tell the decoding software
which characters are meant to be represented when the code is translated. The
problem comes back to people. A malicious individual could place a link to a
website with a specially crafted payload or better yet a script that qualifies
a device, then delivers a specially crafted payload to the device to take over
the device, to steal information, or to simply implant something for the sake
of tracking on the device (such as a cookie). This can all happen super fast
and then the site can redirect you back to another site. It says flowers.com, I
ended up on flowers.com, but what really happened in-between? In actuality the in-between part is commonly referred to as an XSS attack (Cross-Site Scripting) where one website is used to exploit the visitors of another.
So take it from someone with a devious curiosity when it
comes to technology. The next time you see one of these things on a package or
somewhere in the wild, before you scan it, think about what it is you think
you're getting and whether the risk is worth it. If it's on a toy, you're
probably okay, they're just going to track you or sell you more stuff, but if
it's stuck to a pole next to Wrigley Field, you might be getting more than you
bargained for.
