So far, the attack hasn’t been confirmed; however, it serves as a scary reminder for folks to pick the QR codes they scan with their phone wisely.
The Jester’s Mobile Attack
According to an entry posted on The Jester’s blog on March 9th, the mobile attack was carried using a QR code – which he set as his Twitter profile picture @th3j35t3r – and a drive-by-download targeting both Android and iOS smartphones.
Whenever someone scanned the QR code, they were taken to a page with The Jester’s original Twitter profile picture with the word ‘BOO!’ beneath it. Of course, the real scary part was what was silently happening in the background – which in this case, was a known vulnerability in Safari, Chrome and the stock Android browser being exploited, allowing the phone to communicate with a remote server running Netcat.
A script would execute and retrieve the Twitter username linked to any major Twitter apps detected on the phone. If the username matched one belonging to someone on The Jester’s “hit list,” then a data pilfering script would collect all text messages, phonebooks, call history and emails stored on the phone.
The attack allegedly went on for 5 days and The Jester stated on his blog that over 1,200 people scanned the QR code and 500 of those “reverse shelled back to the listening server," including a “significant number” of those present on the hit list. Targets of The Jester include Islamic Extremists, Al Qaeda Supporters and those affiliated with the Anonymous movement.
The Jester states that NO data was taken from smartphones that accessed the page but did NOT have a targeted Twitter handle attached to it.
On Monday, The Jester posted a signed PGP encrypted file (143MB) on Mediafire.
Dangers of QR Codes
While the moral stance of this attack is still up for debate, it serves as a creepy reminder that users need to think before letting the curiosity of a QR code get the best of them and their phones.
The Jester’s attack may have been extremely resourceful – using Twitter handles to single out his targets – but it definitely wasn’t been the first mobile attack to start off with a QR Code scan and there’s a good chance it won’t be the last.
Beyond the previously suggested tips on how to protect your smartphone from malicious QR codes, users need to consider where the QR code is coming from before following it. Otherwise, you could end up at a pharmaceutical site, have malware planted on your device, or in this case, have a bunch of sensitive data lifted from your smartphone.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.