Posted by Virus Bulletin on Jan 10, 2012
Curious users may scan URL and end up on pharma websites.
Researchers at Websense have discovered spam containing links to a site containing a QR code in which the spam's target URL is encoded.
A QR code is a two-dimensional variant of a barcode - which can thus contain more information than a barcode. QR codes have become a popular way to encode URLs: most smartphones have apps that are capable of scanning QR codes and will then automatically point the user's browser to the corresponding URL.
Because QR codes are opaque to the human eye, there is no way to guess whether the corresponding site is legitimate; for this reason, security researchers have already pointed out the potential for abuse by spammers and malware authors. (Indeed, in September last year, researchers at Kaspersky found some examples of websites containing QR codes linking to malware.)
The current spam wave does not use QR codes directly. Instead, it links to 2tag.nl - a site that combines a URL shortener and creates QR codes of the short URLs as well. When a hyphen is appended to the shortened URL, the user remains on 2tag.nl and sees the QR code.
It should be noted, however, that the target URL is visible on the same page. In the examples we have seen, it is clear that the sites contain pharamacy spam. However, it is possible that not everyone will notice this - and many a curious user may be tempted to scan the QR code visible on their screen.
2tag.nl appears to be a legitimate website, though its blog and its social media accounts have not been updated since last spring. Nevertheless, we have informed them about this abuse of their service.