Spammers link to site containing QR code

Posted by   Virus Bulletin on   Jan 10, 2012

Curious users may scan URL and end up on pharma websites.

Researchers at Websense have discovered spam containing links to a site containing a QR code in which the spam's target URL is encoded.

A QR code is a two-dimensional variant of a barcode - which can thus contain more information than a barcode. QR codes have become a popular way to encode URLs: most smartphones have apps that are capable of scanning QR codes and will then automatically point the user's browser to the corresponding URL.

Because QR codes are opaque to the human eye, there is no way to guess whether the corresponding site is legitimate; for this reason, security researchers have already pointed out the potential for abuse by spammers and malware authors. (Indeed, in September last year, researchers at Kaspersky found some examples of websites containing QR codes linking to malware.)

The current spam wave does not use QR codes directly. Instead, it links to 2tag.nl - a site that combines a URL shortener and creates QR codes of the short URLs as well. When a hyphen is appended to the shortened URL, the user remains on 2tag.nl and sees the QR code.

It should be noted, however, that the target URL is visible on the same page. In the examples we have seen, it is clear that the sites contain pharamacy spam. However, it is possible that not everyone will notice this - and many a curious user may be tempted to scan the QR code visible on their screen.

2tag.nl appears to be a legitimate website, though its blog and its social media accounts have not been updated since last spring. Nevertheless, we have informed them about this abuse of their service.

More at Websense here.

Posted on 10 January 2012 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

VB2021 localhost call for papers: a great opportunity

VB2021 localhost presents an exciting opportunity to share your research with an even wider cross section of the IT security community around the world than usual, without having to take time out of your work schedule (or budget) to travel.

New article: Excel Formula/Macro in .xlsb?

In a follow-up to an article published last week, Kurt Natvig takes us through the analysis of a new malicious sample using the .xlsb file format.

New article: Decompiling Excel Formula (XF) 4.0 malware

In a new article, researcher Kurt Natvig takes a close look at XF 4.0 malware.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.