A large number of end-user computers are mobile devices and the lion's share of those are smartphones. APTs are increasingly targeting the mobile market.
"Mobile malware increased more than 1,000-percent in 2012 alone," said Catalin Cosoi, Chief Security Researcher, BitDefender. BitDefender bases this data on analyses of mobile threats it collects via honeypots.
Criminal hackers use malicious QR codes for the same reasons they use any attack on mobile devices: the mobile market is outpacing PCs, creating a bigger target; and, these newer, mostly end-user devices (especially smartphones) are the least likely to carry any security software.
Dissecting malicious QR codes
A malicious QR (Quick Response) code contains a link to a website embedded with malware.
"It doesn't matter how the user scans or collects the QR code, eventually the device translates it to a link," said David Maman, Founder and CTO, GreenSQL, who also speaks at conferences on the dangers of malicious QR codes.
The web link then infects the user device with a Trojan.
Once a Trojan infiltrates a mobile device, it typically reports to the hacker's servers, which automatically transmit any number of other threats through that opening to leach data and wreak havoc.
Freely available tools automate QR code creation so criminal hackers do not have to roll their own.
"The Social Engineering Toolkit has a QR code generator. You can use it to create malicious QR codes," said Chronister. The intent of The Social Engineering Toolkit is that ethical hackers use it to test systems for security vulnerabilities with the enterprise's blessing. However, whether it is good or bad really depends on whose hands it is in.
Attack vectors / infection points
Criminal hackers could distribute malicious QR codes and/or malware through marketing firms that create legitimate codes, through malicious QR code tools, and when people access bogus QR codes unawares. Hackers can compromise systems belonging to marketing firms that create QR codes for their enterprise clients. They can then substitute the legitimate codes with malicious ones before the firm distributes them. This creates obvious liabilities for the enterprise that ordered the QR code.
There are also many free apps for creating QR codes already available.
In addition, if malicious QR codes infect smartphones and the enterprise permits these devices to connect to the company network, they can become bridges to the enterprise for malware via the phone's data connection.
Sign up for Computerworld eNewsletters.