Spammers link to site containing QR code

Posted by   Virus Bulletin on   Jan 10, 2012

Curious users may scan URL and end up on pharma websites.

Researchers at Websense have discovered spam containing links to a site containing a QR code in which the spam's target URL is encoded.

A QR code is a two-dimensional variant of a barcode - which can thus contain more information than a barcode. QR codes have become a popular way to encode URLs: most smartphones have apps that are capable of scanning QR codes and will then automatically point the user's browser to the corresponding URL.

Because QR codes are opaque to the human eye, there is no way to guess whether the corresponding site is legitimate; for this reason, security researchers have already pointed out the potential for abuse by spammers and malware authors. (Indeed, in September last year, researchers at Kaspersky found some examples of websites containing QR codes linking to malware.)

The current spam wave does not use QR codes directly. Instead, it links to 2tag.nl - a site that combines a URL shortener and creates QR codes of the short URLs as well. When a hyphen is appended to the shortened URL, the user remains on 2tag.nl and sees the QR code.

It should be noted, however, that the target URL is visible on the same page. In the examples we have seen, it is clear that the sites contain pharamacy spam. However, it is possible that not everyone will notice this - and many a curious user may be tempted to scan the QR code visible on their screen.

2tag.nl appears to be a legitimate website, though its blog and its social media accounts have not been updated since last spring. Nevertheless, we have informed them about this abuse of their service.

More at Websense here.

Posted on 10 January 2012 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.