January 9, 2012

Spam Emails Link To QR Codes

Elad Sharf Security Researcher

It was just a matter of time, and now it's happening. The Websense® ThreatSeeker® Network has started spotting spam messages that lead to URLs that use embedded QR codes. This is a clear movement and evolution of traditional spammers towards targeting mobile technology. 

The spam email messages look like traditional pharmaceutical spam emails (image 1) and contain a link to the Web site2tag.nl. This is a legitimate Web service that allows users to create QR codes for URLs. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL that the QR code resolves to on the right (image 2). When the QR code is read by a QR reader, it automatically loads the spam URL(or asks before loading, depending on which flavor of QR reader you have installed) (images 3 and 4). 

Websense customers have been protected against this attack with ACE, our Advanced Classification Engine. 

Image 1 - An example spam email message:


Image 2 - When the URL is loaded in the browser, a QR code appears:


Image 3 -  Scanning the QR code with a QR reader loads the pharmaceutical spam URL in the browser: 


Image 4 - The loaded URL offers pharmaceutical drugs:

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.