A large number of end-user computers are mobile devices and the lion’s share of those are smartphones. APTs are increasingly targeting the mobile market. “Mobile malware increased more than 1,000-percent in 2012 alone,” said Catalin Cosoi, Chief Security Researcher, BitDefender. BitDefender bases this data on analyses of mobile threats it collects via honeypots. Criminal hackers use malicious QR codes for the same reasons they use any attack on mobile devices: the mobile market is outpacing PCs, creating a bigger target; and, these newer, mostly end-user devices (especially smartphones) are the least likely to carry any security software. Dissecting malicious QR codes A malicious QR (Quick Response) code contains a link to a website embedded with malware. “It doesnt matter how the user scans or collects the QR code, eventually the device translates it to a link,” said David Maman, Founder and CTO, GreenSQL, who also speaks at conferences on the dangers of malicious QR codes. The web link then infects the user device with a Trojan. “It’s typically a JavaScript Trojan. When the website comes up, the JavaScript automatically runs, embedding the Trojan into your system,” said Dave Chronister, Lead Hacker, Parameter Security, which enterprises contract to perform penetration (pen) tests to audit network security. Once a Trojan infiltrates a mobile device, it typically reports to the hacker’s servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc. Freely available tools automate QR code creation so criminal hackers do not have to roll their own. “The Social Engineering Toolkit has a QR code generator. You can use it to create malicious QR codes,” said Chronister. The intent of The Social Engineering Toolkit is that ethical hackers use it to test systems for security vulnerabilities with the enterprises blessing. However, whether it is good or bad really depends on whose hands it is in. Attack vectors / infection points Criminal hackers could distribute malicious QR codes and/or malware through marketing firms that create legitimate codes, through malicious QR code tools, and when people access bogus QR codes unawares. Hackers can compromise systems belonging to marketing firms that create QR codes for their enterprise clients. They can then substitute the legitimate codes with malicious ones before the firm distributes them. This creates obvious liabilities for the enterprise that ordered the QR code. There are also many free apps for creating QR codes already available. “What would stop someone from putting an app out that adds a JavaScript to the QR codes, which sends people to a secondary site to inject malware on the device?” noted Chronister. In addition, if malicious QR codes infect smartphones and the enterprise permits these devices to connect to the company network, they can become bridges to the enterprise for malware via the phones data connection. Hot new attack vectors, chilling results Attackers use malicious QR codes in phishing attacks. An attacker could create thousands of business cards purporting to be from Subway that say, ‘Free footlong if you join our QR Club’ printed next to the malicious code. When they scan the code and enter the link, the site could simply respond, ‘Thank you for joining the club’ while silently installing a Trojan. [Phishing: The basics] “So many companies are using QR codes, how can a consumer tell whether the QR code is from a company they trust or is a forgery?” asked Chronister. In another attack, APTs can use a cross-site scripting vulnerability on a legitimate website to open a hole to insert a malicious QR code in place of a legitimate code. “When a web browser pulls up the legitimate site, the QR code referencing the hacker’s site is now part of the otherwise benign site and the browser will pull them up together,” said Chronister. Malicious QR codes can also enable a hacker to control cell phones to access messages and GPS, turn on the camera(s), and listen in on phone conversations. “Even botnet software is showing up on phones, allowing APTs to enlist them into botnets for attacking other systems, says Chronister. The attacker can use the phone as part of an SMS botnet or an Internet botnet to attack countless targets. What CSOs should do now The best way to avoid malicious QR codes and protect the enterprise is simply to not use them. “The codes are really not valuable enough to any company to afford the risk. If the enterprise must use them, ensure they are set up in a way that enables the enterprise to continually validate them as legitimate,” said Chronister. Instruct employees not to use QR codes on phones that also attach to the company network. “If the company uses BYOD, instruct employees of the risks of QR codes,” Chronister advised. Enterprises should already be segregating the wireless guest network from the rest of the infrastructure as well as segregating internal networks with core data from other internal networks. Unfortunately, this is often not the case. “When we do pen testing, we find that though the enterprise has a guest network, smartphones are connected to the corporate network,” said Chronister. Make sure smartphones as well as mobile devices have anvi-virus and other anti-malware software installed and updated. “In the course of our pen testing, we’ll see that the network policy says every system that connects to the corporate network is supposed to have anti-virus software installed. Then I will ask to see someone’s iPhone. It doesn’t have anti-virus software installed, but it’s a system and it’s on the corporate network,” said Chronister. Long-term Solutions Ultimately, enterprises will have to continue to refine fine-grained policies and rules that examine log files in depth for network events. ‘These help to determine whether, for example, an authorized smartphone connecting to an internal system belongs to someone who happens to be off sick that day,” says Maman. Then the network can automatically drop the connection and IT can investigate further. But, even such policies cannot detect everything. “There may not be enough evidence or detail to detect,” said Maman. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe