You’ve probably already heard about how scammers are using QR codes to “clickjack” smartphone users, but just in case you haven’t let’s refresh. “Clickjacking”, otherwise known as a User Interface Redress Attack, is one of the malicious ways that criminals are trying to use access points (like QR code scanning) to gain access to a user’s device or data. It is primarily a browser security issue which exploits vulnerabilities or perhaps tricks the user into clicking on something that will produce an unintended effect.
But let’s not get on the “QR codes are dangerous” bandwagon; keep in mind, clickjacking operations are carried out in many other ways too. For instance, if you’ve ever opened an official looking email, only to be redirected to an unfamiliar site, then you were almost a victim of clickjacking (unless you actually clicked on something, which would be bad to say the least). A quick tip: always check the sender’s email address whenever you’re in doubt about the authenticity of that “official-looking email”. Other examples of clickjacking include:
- Using Adobe Flash to trick users into enabling their webcam and/or microphone.
- Pushing users to make all of their personal data and information publicly accessible.
- Twitter “Phishing”
- “Likejacking” via Facebook.
- …and many others..
Needless to say, QR code-based Clickjacking (in particular) is very nefarious and is something that authorities and security specialist firms are dealing with even as we speak. The ease with which a criminal can simply slap an official-looking QR code sticker somewhere, sometimes over the top of those pasted by legitimate business owners, is considerable. But that doesn’t mean that you should avoid QR codes at all costs. In fact, as one might expect, there are certain approaches or methods that people can use to protect themselves against these types of malicious attacks.
One of the most sensible and immediately accessible is preventative software. Yes, there are software developers who specialize in creating programs and apps which are able to offer clickjacking protection. Notable companies in this area include NoScript and Comitari. Additionally, some users have reported that they were able to thwart potential security breaches by simply keeping their OS, flash and other components up-to-date.
So, to quickly recap; make sure that you have your OS and/or browser up-to-date as well as any major programs and applications like Flash. Also, always double check anything you scan or click on for authenticity whenever possible. This includes not only QR codes that you run across on the street, which might be pasted on the side of a telephone pole, but also those which look legitimate and official. Remember, if you see one code pasted on top of another one (as if someone simply placed a sticker on top of an ad, for instance) that is red flag and most likely a clickjacking attempt. Do some research and determine which preventative programs are right for you, your OS, browser, and device as well.
QR code technology is actually a very convenient and wonderful way to instantly share virtually anything with anyone and we must not let the more unethical and immoral among us hijack it. Until a major institution devises a way to shut down these criminals with a permanent solution, we’ll just have to learn to protect ourselves while attempting to educate others. Heck, if someone was intuitive enough and had the foresight to start a specific social media campaign designed to create a database of attacks, vulnerabilities and even up to including a list of those who participate in this type of criminal activity (with evidence), we could (collectively) eliminate a very large percentage of clickjacking attempts (hint, hint).