Abstract
The matrix barcodes known as Quick Response (QR) codes are rapidly becoming pervasive in urban environments around the world. QR codes are used to represent data, such as a web address, in a compact form that can be scanned readily and parsed by consumer mobile devices. They are popular with marketers because of their ease in deployment and use. However, this technology encourages mobile users to scan unauthenticated data from posters, billboards, stickers, and more, providing a new attack vector for miscreants. By positioning QR codes under false pretenses, attackers can entice users to scan the codes and subsequently visit malicious websites, install programs, or any other action the mobile device supports. We investigated the viability of QRcode- initiated phishing attacks, or QRishing, by conducting two experiments. In one experiment we visually monitored user interactions with QR codes; primarily to observe the proportion of users who scan a QR code but elect not to visit the associated website. In a second experiment, we distributed posters containing QR codes across 139 different locations to observe the broader application of QR codes for phishing. Over our four-week study, our disingenuous flyers were scanned by 225 individuals who subsequently visited the associated websites. Our survey results suggest that curiosity is the largest motivating factor for scanning QR codes. In our small surveillance experiment, we observed that 85% of those who scanned a QR code subsequently visited the associated URL.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
About the security content of iOS 4.3 (March 2011), http://support.apple.com/kb/HT4564
About the security content of iOS 5.0.1 (November 2011), http://support.apple.com/kb/HT5052
CVE-2011-3874 - libsysutils rooting vulnerability (zergRush) (November 2011), http://code.google.com/p/android/issues/detail?id=21681
Generation app: 62% of mobile users 25-34 own smartphones (November 2011), http://blog.nielsen.com/
The Male vs. Female Debate Goes Mobile (November 2011), http://blog.compete.com
Android bug opens devices to outside control: experts (February 2012), http://www.reuters.com/article/2012/02/24/us-google-android-security-idUSTRE81N1T120120224
Android Developer Guide: Platform Versions (February 1, 2012), http://developer.android.com
Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update 2011–2016 (February 2012), http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-520862.html
comScore Reports December 2011 U.S. Mobile Subscriber Market Share (February 2012), http://www.comscore.com/Press_Events/Press_Releases/2012/2/comScore_Reports_December_2011_U.S._Mobile_Subscriber_Market_Share
Amrutkar, C., Traynor, P., van Oorschot, P.C.: An Empirical Evaluation of Security Indicators in Mobile Web Browsers. Technical Report GT-CS-11-10, Georgia Institute of Technology (2011)
Borrett, L.: Beware of Malicious QR Codes (June 2011), http://www.abc.net.au/technology/articles/2011/06/08/3238443.htm
U. C. Bureau. Pittsburgh census map (2000), http://www.city.pittsburgh.pa.us/cp/html/census_map.html
chpwn, MuscleNerd, and chronicdevteam. iOS Jailbreaking Website, http://jailbrea.kr/
Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of SOUPS 2005, pp. 77–88. ACM (2005)
Dhamija, R., Tygar, J., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)
Downs, J., Holbrook, M., Cranor, L.: Decision Strategies and Susceptibility to Phishing. In: Proceedings of SOUPS 2006, pp. 79–90. ACM (2006)
Egelman, S., Cranor, L., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)
Gahran, A.: Why ‘Android fragmentation’ isn’t so bad (February 2012), http://www.cnn.com/2012/02/17/tech/mobile/android-fragmentation-gahran/
Han, J., Owusu, E., Nguyen, T.-L., Perrig, A., Zhang, J.: ACComplice: Location Inference using Accelerometers on Smartphones. In: Proceedings of the 4th COMSNETS (January 2012)
Hara, M., Watabe, M., Nojiri, T., Nagaya, T., Uchiyama, Y.: Optically readable two-dimensional code and method and apparatus using the same (March 10, 1998) US Patent 5,726,435
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L., Hong, J.: Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10(2), 7 (2010)
Moore, T., Edelman, B.: Measuring the perpetrators and funders of typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)
Neumann, A., Barnickel, J., Meyer, U.: Security and privacy implications of url shortening services. In: Proceedings of the Workshop on Web 2.0 Security and Privacy (2010)
Newman, R.: Consumer Alert: QR Code Safety. Better Business Bureau (June 2011), http://sandiego.bbb.org/article/consumer-alert-qr-code-safety-28037
Office of Institutional Research and Analysis. Carnegie mellon factbook (February 2012), http://www.cmu.edu/ira/factbook/pdf/facts2012/entire-fb-for-web-as-of-3-1-121.pdf
Radwanick, S.: 14 Million Americans Scanned QR Codes on their Mobile Phones in june 2011 (August 2011), http://www.comscore.com
Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L., Hong, J., Nunge, E.: Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of SOUPS 2007. ACM (2007)
Tamir, C.: AVG (AU/NZ) Cautions: Beware of Malicious QR Codes. PCWorld (June 2011), https://appsec-labs.com/blog/tag/qrcode
Todd, D.M.: Security expert warns smartphone users of the risks in scanning cybercoding, http://www.post-gazette.com (accessed June 2012)
Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: A survey of current android attacks. In: Proceedings of the 5th USENIX WOOT, p. 10. USENIX Association (2011)
Wagenseil, P.: Anti-anonymous hacker threatens to expose them, http://www.msnbc.msn.com (accessed March 2012)
Zhang, Y., Hong, J., Cranor, L.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web, pp. 639–648. ACM (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N. (2013). QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7862. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41320-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-41320-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41319-3
Online ISBN: 978-3-642-41320-9
eBook Packages: Computer ScienceComputer Science (R0)