Hot new attack vectors, chilling results
Attackers use malicious QR codes in phishing attacks. An attacker could create thousands of business cards purporting to be from Subway that say, 'Free footlong if you join our QR Club' printed next to the malicious code. When they scan the code and enter the link, the site could simply respond, 'Thank you for joining the club' while silently installing a Trojan.
"So many companies are using QR codes, how can a consumer tell whether the QR code is from a company they trust or is a forgery?" asked Chronister.
In another attack, APTs can use a cross-site scripting vulnerability on a legitimate website to open a hole to insert a malicious QR code in place of a legitimate code.
"When a web browser pulls up the legitimate site, the QR code referencing the hacker's site is now part of the otherwise benign site and the browser will pull them up together," said Chronister.
Malicious QR codes can also enable a hacker to control cell phones to access messages and GPS, turn on the camera(s), and listen in on phone conversations.
"Even botnet software is showing up on phones, allowing APTs to enlist them into botnets for attacking other systems, says Chronister. The attacker can use the phone as part of an SMS botnet or an Internet botnet to attack countless targets.
What CSOs should do now
The best way to avoid malicious QR codes and protect the enterprise is simply to not use them.
"The codes are really not valuable enough to any company to afford the risk. If the enterprise must use them, ensure they are set up in a way that enables the enterprise to continually validate them as legitimate," said Chronister.
Instruct employees not to use QR codes on phones that also attach to the company network.
"If the company uses BYOD, instruct employees of the risks of QR codes," Chronister advised.
Enterprises should already be segregating the wireless guest network from the rest of the infrastructure as well as segregating internal networks with core data from other internal networks. Unfortunately, this is often not the case.
"When we do pen testing, we find that though the enterprise has a guest network, smartphones are connected to the corporate network," said Chronister.
Make sure smartphones as well as mobile devices have anti-virus and other anti-malware software installed and updated.
"In the course of our pen testing, we'll see that the network policy says every system that connects to the corporate network is supposed to have anti-virus software installed. Then I will ask to see someone's iPhone. It doesn't have anti-virus software installed, but it's a system and it's on the corporate network," said Chronister.
Sign up for Computerworld eNewsletters.