MIAMI (CBS4 ) – Jorge Ezeta thinks Q-R codes are incredibly convenient. He likes scanning them for more information on a product he might want to buy.
“It really helps you make a shopping decision,” said Ezeta. “They store information in the black and white dots, so you can keep a lot of different things in there, telephone numbers, urls, links to web sites, addresses and any kind of text you want.”
“That’s really helpful, right?” asked Estevez.
“Yes,” replied Ezeta.
But what’s not helpful is you can’t really tell what information is stored inside that code until after you have scanned it. And that can be bad, according to Malware researcher Tim Armstrong.
“There’s a danger inherent in using these types of systems. They can link to malicious websites or phishing pages just as easily as they can link to legitimate information,” explained Armstrong.
Malicious web sites? Phishing pages?
Experts say phishing pages are fake versions of legitimate pages and they’re used to collect your login details.
“A lot of times they will look identical to the legitimate page,” said Armstrong.
The criminals set up the codes so that after they are scanned, the landing page asks you to click a link… a link that could hijack your phone and your private information.
“Links go to all sorts of different other pages where they can collect user details. They can steal information,” cautioned Armstrong.
Apps can put your private information at risk and you won’t even have a clue.
“The end-user thinks they’re downloading an instant messenger application or a new web browser for their phone,” said Armstrong. “But, in fact, these are just fake applications that are similar to real apps, but in the background they’re stealing your data.”
“There’s a lot of personal information on my phone. Everything, phone numbers, contacts, emails, access to my email, access to my bank account,” said Ezeta.
Or you might receive a premium rate text message that, when you open it to read it, results in a $5 or $10 charge.
“We haven’t seen this type of attack until very recently,” Armstrong indicated.
Developers are working on protection software. But until that is created, be careful.
Armstrong points out that right now, scanning the code isn’t the problem… it’s when the code sends you to a link that you need to click, that you need to watch out.
“Scan them, see where they go first and then make a decision. Be very wary of where these things are leading you. If you see these things out in the wild it may not be the best idea to scan them,” cautioned Armstrong.
Jorge will keep scanning magazine ads or food product labels but with more skepticism than before.
“Not on a street sign where it says click here for free stuff. That would be a lot riskier,” Ezeta said.
Researchers say this problem seems to be stemming mostly from criminals in Europe and Russia in particular.