With the huge popularity of smartphones, two-dimensional barcodes called QR codes are beloved by marketers and are being targeted by hackers and spammers. A user simply scans the QR code with a mobile device and is then directed to a website. The QR codes may be linked to coupons or special offers, but “if people see a random QR code that’s not connected to anything, just a sticker on the wall, they’re going to scan it because they want to know what the heck it is.” Damon Petraglia, Chartstone director of forensic and information security services, told Dark Reading, “The biggest risk is that people cannot deny their own curiosity.” As is becoming increasingly common, “attackers depend on that curiosity and the innate obfuscation of QR codes to craft their attacks.”
Curiosity is exactly what “pro-American hacker” The Jester was banking on when he changed his Twitter avatar into a QR code attack. There’s been plenty of ire and support in the past for what @th3j35t3r tweeted. The “hacktivist for good” is best known for DDoS attacks to disrupt pro-Jihadist sites as well as his contempt for Anonymous. The Jester blogged, “Anyone who scanned the QR code using their mobile device was taken to a jolly little greeting via their device’s default browser hosted on some free webspace. The greeting featured my original profile pic and the word ‘BOO!’ directly below it.”
He claims to have exploited the open-source software Webkit which is built into web browsers for mobile phones. This is precisely the same vulnerability exploited in Mobile Rat, turning Android into the “ultimate spy tool” as was demonstrated at the RSA conference. The Jester called the hack “a highly targeted and precise attack, against known bad guys.” The Register reported, “‘Enemies’ of the hacker listed as targets included @AnonymousIRC, @wikileaks, @anonyops, @barretbrownlol (the Twitter address of sometime Anonymous spokesman Barrett Brown) and @RepDanGordon (Rhode Island State Representative Dan Gordon) and others. Gordon made it onto The Jester’s hit list for his comments on Twitter referencing Anonymous in what The Jester saw as a sign of approval for the hacktivist group.”
“Creepy? Only if you are naughty,” The Jester blogged. The “‘curiosity pwned the cat’ sting went on for 5 days un-noticed,” during which the QR code was scanned over 1,200 times and “over 500 devices reverse shelled back to the listening server.” The hacker added this was a “Proof of Concept QR-Code based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR CC nums, and engage in terror plots around the world.” The Jester posted an encrypted 143-megabyte file with all the extracted data to the file-sharing site MediaFire.
“As far as LEA’s [law enforcement authorities] taking an interest in me, we will have to wait and see,” he told SecurityNewsDaily. After being “reminded that Twitter was receiving subpoenas for information on users, The Jester replied, ‘There is no identifying information held in my profile, and I never connect even close to directly. It’s a rule of mine’.”
It’s a hoax, a mind game, all “bluff and bluster,” Heise Security reported. “The technical details of the hack given are, however, not credible. The security vulnerability he claims to have exploited, CVE-2010-1807, has been in the public domain since autumn 2010 and was fixed in most browsers shortly thereafter. That does not sit well with his claimed success rate of 40 per cent of visitors. Similarly, he claims that a single exploit was able to bypass the security mechanisms present in multiple versions of iOS and Android. A more likely explanation is that The Jester is playing mind games with his enemies.”
But it’s not impossible as mobile malware via tainted QR codes have been spotted in the wild. AVG Technologies chief technology officer, Yuval Ben-Itzhak said, “Putting a malicious QR code sticker onto existing marketing material or replacing a website’s bona fide QR code with a malicious one could be enough to trick many unsuspecting people.”
Tomer Teller, security evangelist at Check Point Software Technologies, said it’s basically a “drive-by-download attack, where a user scans a bar code and is redirected to an unknown website. This website hosts modified exploits of the original jailbreak. Once visited, the user phone will be jailbroken and additional malware could be deployed [such as keyloggers and GPS trackers].” Teller told Dark Reading the attacks work against iOS and Android, but the Android “is more susceptible to QR code attacks.”