QR Codes! The Modern USB Drop
This the beginning of an investigation I will be conducting into the susceptibility of the general public to scan a QR code in a public space. This is because the changing of times from USB drops in the car park to slapping a QR code sticker onto a lamp post near a target and having a victim compromise the network or system.
We all know the social engineering vector of the past by dropping a USB stick in a car park with an injector to gain access to a target network, whether you’re a black hat or a pen tester this is a tried and tested route of penetrating a system or network. In the current world, we can preload these injectors into websites so if a user device such as a phone or other types of mobile devices with a camera.
The way I will be conducting this investigation is by putting QR codes around my local area and expanding nationally around the UK. These codes link to a hidden part of my website that tracks unique hits. I will be using google analytics to track the hits to the site. I will then compare these hits to track where people are mostly to scan a code and at what times.
For those of you that have found one of my QR codes thank you for taking part and be more careful, You have inadvertently taken part in a social engineering investigation. Had you scanned a malicious QR your devices may have been compromised. However, this is an investigation into how susceptible the public is to this attack vector.
Results will be published but user information will be completely protected. The only information published will include area scanned, time scanned and device type (android or IOS).
Note. All of the information from users will be protected.
If anyone has any questions contact me via email: [email protected] or via my twitter: @Rag_Sec