Skip to main content
SpringerLink
Log in

QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks

  • Conference paper
Financial Cryptography and Data Security (FC 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7862))

Included in the following conference series:

Abstract

The matrix barcodes known as Quick Response (QR) codes are rapidly becoming pervasive in urban environments around the world. QR codes are used to represent data, such as a web address, in a compact form that can be scanned readily and parsed by consumer mobile devices. They are popular with marketers because of their ease in deployment and use. However, this technology encourages mobile users to scan unauthenticated data from posters, billboards, stickers, and more, providing a new attack vector for miscreants. By positioning QR codes under false pretenses, attackers can entice users to scan the codes and subsequently visit malicious websites, install programs, or any other action the mobile device supports. We investigated the viability of QRcode- initiated phishing attacks, or QRishing, by conducting two experiments. In one experiment we visually monitored user interactions with QR codes; primarily to observe the proportion of users who scan a QR code but elect not to visit the associated website. In a second experiment, we distributed posters containing QR codes across 139 different locations to observe the broader application of QR codes for phishing. Over our four-week study, our disingenuous flyers were scanned by 225 individuals who subsequently visited the associated websites. Our survey results suggest that curiosity is the largest motivating factor for scanning QR codes. In our small surveillance experiment, we observed that 85% of those who scanned a QR code subsequently visited the associated URL.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. About the security content of iOS 4.3 (March 2011), http://support.apple.com/kb/HT4564

  2. About the security content of iOS 5.0.1 (November 2011), http://support.apple.com/kb/HT5052

  3. CVE-2011-3874 - libsysutils rooting vulnerability (zergRush) (November 2011), http://code.google.com/p/android/issues/detail?id=21681

  4. Generation app: 62% of mobile users 25-34 own smartphones (November 2011), http://blog.nielsen.com/

  5. The Male vs. Female Debate Goes Mobile (November 2011), http://blog.compete.com

  6. Android bug opens devices to outside control: experts (February 2012), http://www.reuters.com/article/2012/02/24/us-google-android-security-idUSTRE81N1T120120224

  7. Android Developer Guide: Platform Versions (February 1, 2012), http://developer.android.com

  8. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update 2011–2016 (February 2012), http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-520862.html

  9. comScore Reports December 2011 U.S. Mobile Subscriber Market Share (February 2012), http://www.comscore.com/Press_Events/Press_Releases/2012/2/comScore_Reports_December_2011_U.S._Mobile_Subscriber_Market_Share

  10. Amrutkar, C., Traynor, P., van Oorschot, P.C.: An Empirical Evaluation of Security Indicators in Mobile Web Browsers. Technical Report GT-CS-11-10, Georgia Institute of Technology (2011)

    Google Scholar 

  11. Borrett, L.: Beware of Malicious QR Codes (June 2011), http://www.abc.net.au/technology/articles/2011/06/08/3238443.htm

  12. U. C. Bureau. Pittsburgh census map (2000), http://www.city.pittsburgh.pa.us/cp/html/census_map.html

  13. chpwn, MuscleNerd, and chronicdevteam. iOS Jailbreaking Website, http://jailbrea.kr/

  14. Dhamija, R., Tygar, J.: The battle against phishing: Dynamic security skins. In: Proceedings of SOUPS 2005, pp. 77–88. ACM (2005)

    Google Scholar 

  15. Dhamija, R., Tygar, J., Hearst, M.: Why phishing works. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)

    Google Scholar 

  16. Downs, J., Holbrook, M., Cranor, L.: Decision Strategies and Susceptibility to Phishing. In: Proceedings of SOUPS 2006, pp. 79–90. ACM (2006)

    Google Scholar 

  17. Egelman, S., Cranor, L., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM (2008)

    Google Scholar 

  18. Gahran, A.: Why ‘Android fragmentation’ isn’t so bad (February 2012), http://www.cnn.com/2012/02/17/tech/mobile/android-fragmentation-gahran/

  19. Han, J., Owusu, E., Nguyen, T.-L., Perrig, A., Zhang, J.: ACComplice: Location Inference using Accelerometers on Smartphones. In: Proceedings of the 4th COMSNETS (January 2012)

    Google Scholar 

  20. Hara, M., Watabe, M., Nojiri, T., Nagaya, T., Uchiyama, Y.: Optically readable two-dimensional code and method and apparatus using the same (March 10, 1998) US Patent 5,726,435

    Google Scholar 

  21. Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L., Hong, J.: Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology 10(2), 7 (2010)

    Article  Google Scholar 

  22. Moore, T., Edelman, B.: Measuring the perpetrators and funders of typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Neumann, A., Barnickel, J., Meyer, U.: Security and privacy implications of url shortening services. In: Proceedings of the Workshop on Web 2.0 Security and Privacy (2010)

    Google Scholar 

  24. Newman, R.: Consumer Alert: QR Code Safety. Better Business Bureau (June 2011), http://sandiego.bbb.org/article/consumer-alert-qr-code-safety-28037

  25. Office of Institutional Research and Analysis. Carnegie mellon factbook (February 2012), http://www.cmu.edu/ira/factbook/pdf/facts2012/entire-fb-for-web-as-of-3-1-121.pdf

  26. Radwanick, S.: 14 Million Americans Scanned QR Codes on their Mobile Phones in june 2011 (August 2011), http://www.comscore.com

  27. Sheng, S., Magnien, B., Kumaraguru, P., Acquisti, A., Cranor, L., Hong, J., Nunge, E.: Anti-phishing phil: The design and evaluation of a game that teaches people not to fall for phish. In: Proceedings of SOUPS 2007. ACM (2007)

    Google Scholar 

  28. Tamir, C.: AVG (AU/NZ) Cautions: Beware of Malicious QR Codes. PCWorld (June 2011), https://appsec-labs.com/blog/tag/qrcode

  29. Todd, D.M.: Security expert warns smartphone users of the risks in scanning cybercoding, http://www.post-gazette.com (accessed June 2012)

  30. Vidas, T., Votipka, D., Christin, N.: All your droid are belong to us: A survey of current android attacks. In: Proceedings of the 5th USENIX WOOT, p. 10. USENIX Association (2011)

    Google Scholar 

  31. Wagenseil, P.: Anti-anonymous hacker threatens to expose them, http://www.msnbc.msn.com (accessed March 2012)

  32. Zhang, Y., Hong, J., Cranor, L.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web, pp. 639–648. ACM (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University, Pittsburgh, PA, USA

    Timothy Vidas, Emmanuel Owusu, Shuai Wang, Cheng Zeng, Lorrie Faith Cranor & Nicolas Christin

Authors
  1. Timothy Vidas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Emmanuel Owusu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shuai Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cheng Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lorrie Faith Cranor
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Nicolas Christin
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Centre for Business Information Ethics, Meiji University, Kanda Surugadai 1-1, 101-8301, Tokyo, Japan

    Andrew A. Adams

  2. Distributed Computing and Security Group, Leibniz Universität Hannover, Schloßwender Straße 5, 30159, Hanover, Germany

    Michael Brenner  & Matthew Smith  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N. (2013). QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds) Financial Cryptography and Data Security. FC 2013. Lecture Notes in Computer Science, vol 7862. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41320-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41320-9_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41319-3

  • Online ISBN: 978-3-642-41320-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation