Caution has been urged by Security Experts over the increasing use of QR Codes on smartphones, claiming that they could become a likely target for hackers and malicious users actively seeking to steal your personal data.

The strange black squares that have been cropping up in increasing numbers in magazines and newspapers; on posters, tickets and websites are likely to become even more commonplace in 2012 with many companies utilising them in increasing numbers.

However, presuming they are harmless could be playing into the hands of cyber criminals.

According to a recent study around 50% of the 1,200 consumers surveyed interacted with a QR code when they saw one, with 21% then going on to share personal information.

Curiosity and information-gathering were the primary reasons for wanting to scan a code, and the promise of discounts and special offers seemed to be the most effective way to generate interest.

A QR matrix barcode can store alphanumeric characters in the form of text or URLs – all you need to “visualise” such a code is a smartphone with a camera and a QR reader application to scan it.
The code would typically direct you to a website, however, it can also promote online videos, send text messages and e-mails, or install and launch apps.

Fast, easy and very popular, QR codes are clearly a convenient way to stay informed anytime, anywhere. But the downside is that you often don’t know the content of a QR code until you scan it.

For this very reason you should take the same degree of care when scanning a QR code as you would when downloading an unknown file on the internet.

Cyber-attackers might use these codes to redirect you to malicious websites that ask you to download applications that may be infected with malware.
These, in turn, could:
Make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals.

Attempt to steal your Google or Facebook password – many apps are integrated with various social networks.

As a result, some users may enter their information without suspecting that it is being sent to an illegitimate source.

Track your location.

Install keylogging software.

Send an SMS to a premium number, racking up your phone bill.

“Jailbreak” a device and distribute additional malware.

Redirect users to malicious applications.

So if you care about your mobile security, you’d be wise to stay away from malicious QR codes!

One notable attack via QR code took place in Russia in 2011, and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” started to send a series of expensive text messages (which cost £4 each), racking up unwanted charges.

This is just one of the ways malicious users can take advantage of these codes in order to gain control over a smartphone, so it goes without saying that users should take particular care of what they’re scanning and be aware of what they’re expecting to find.

So how can you spot and avoid malicious QR codes:

1. Educate children on the nature of QR codes – with many youngsters now sporting smartphones it could be all too tempting for them to scan these codes simply out of curiosity, which could leave them at risk of attacks similar to those described above. Better yet, installing a mobile security suite can help protect them against hidden threats, offering you significant peace of mind.

2. Use a mobile QR code-/barcode-scanning app that previews URLs. Avoid scanning suspicious codes and links that don’t seem to match the ads they’re incorporated in; also avoid shortened links.

3. Don’t scan QR codes in the form of stickers placed randomly on walls or billboards. QR codes can be generated by anybody and placed in public places with the intention of peaking an individual’s curiosity, and unless the message gets out there that these may not all be from legitimate sources, scammers will look to take advantage of this relatively new technology to further their own ends.

4. Be extra careful if your smartphone works on the Android mobile operating system. Android is an open platform, which means that its source code can be examined by criminals and exploited more easily when they find a weakness in, for example, the Android browser. That’s why most malicious apps transmitted via QR codes target the Android-based smartphones. So, make sure your Android browser is always up-to-date and only scan QR codes from trusted sources.

5. Be particularly wary of QR codes that are linked to monetary and transaction services – these direct links to money are typically prioritised by malicious third parties when choosing how and where to attack.

6. Consider installing a mobile security app.

So be careful out there folks; the world of technology is rapidly evolving, mostly for the better, but we must remain fully aware of possible misuses and abuses & apply our common sense whenever possible…

Norman Feiner, Managing Director – SimplyFone Ltd

(Idea for Blog, Source: Comms Business)

About SimplyFone Ltd

Simply-Fone was established to provide competitive telephone services to UK Businesses & Residential Clients…

For over 20 years we have been providing low-cost, innovative, cost-effective telephony solutions to residential and business customers in the UK and beyond.

Today, Simply-Fone is one of the fastest growing telecom companies in the UK and a recognised brand name with a loyal customer base and a wide range of reliable and competitive products on offer.

Our mission is to provide home and business users superb value but without compromising on quality.

We offer amongst the lowest phone rates and line rentals in the UK

Simply-Fone currently provide telecoms solutions to 1000′s of home & office users and are a UK leader in the provision of low-cost international call services from mobiles and landlines with 100,000′s of regular users.

Like many of you, I’m self employed and always looking for opportunities to promote my business.

I haven’t really embraced Facebook as a promotional avenue (although Scam Detectives has it’s own page) but many of you do.

So, I thought you’d be interested in a little experiment I carried out this week, to see just how secure pages created by Facebook’s “Places” feature are.

If you’re not familiar with it, Facebook Places allows you to “tag” yourself and your friends when you visit business premises, such as your favourite coffee shop, cinema, restaurant or shop.

Once you’ve “checked in” to a place, the feature creates a “Places” page for your business automatically. Here’s one for Starbucks in Wrexham

See the line highlighted in yellow? It says “Is this your business?”

If it is your business, you have an opportunity to claim the place, merge it with your official business Facebook page and make sure that anyone who checks in or visits that place is directed to your official fan page.  Sounds like a good idea, doesn’t it?

Clicking on the link will take you through “verification” where you have to prove you are an official representative of the business, so Facebook can be sure that you are authorised to take control of the page.

So how secure is it?

Some of you will know that outside of my activities on Scam Detectives I have two arms to my business. The first is a web design business at www.clearascrystal.we.bs and the second is an e-safety training firm at www.clearascrystal.co.uk

Because the two divisions are so different in their aims, objectives and target market, there’s nothing to connect the two, and they have very separate marketing strategies.

So, I checked into Clear as Crystal Web Design and, as expected, my Facebook Places page was created.  I claimed the page using the same Facebook account that I use to administrate Clear as Crystal Web Design’s Facebook page, and because of the existing link, I didn’t have to verify my credentials. Fair enough.

Then I logged in using an (obviously fake) alternative Facebook account.  I visited the Facebook Places page and clicked “Is this your business?”

I completed the verification details, as below

BUT, instead of using my “charles@clearascrystal.we.bs” email address, I used “charles@clearascrystal.co.uk” to confirm that I represent the business.

See the subtle difference?

3 Days Later….

Hi SD,

Thanks for your interest in Facebook Places! We’ve approved your claim. Now you can manage your place on Facebook and publish News Feed updates to people who like it. We hope you enjoy this additional opportunity to promote and grow your business on Facebook.

1. Get Started
You can manage your place from your personal Facebook account. Get started here: http://www.facebook.com/pages/manage/

2. Merge Your Place with a Page
Do you admin a page that’s similar to this place? If so, you may be able to merge the two. Go to your page and click the ‘Edit Page’ button in the top right corner. Then click Resources in the left column menu. If the option is available, you’ll see a ‘Merge duplicate pages’ link that will allow you to complete the merge.

3. Learn More
Read common questions and answers in out Help Center: http://www.facebook.com/help/?page=1159

Thanks,

Chuck
User Operations
Facebook

 

SO, if your competitor registers a similar enough domain to yours, using an alternative extension such as .com, .org, .tv, .net, .info or any one of a hundred different top level domains, Facebook could think it’s “close enough” to allow them to take control of your business Places page.

Search Facebook for your business name. Now. Then claim your Places page before somebody else does.

“Parents need help now to understand the technologies their kids take for granted, and to learn how to keep their kids safe on the Internet, before it’s too late”

That was the stark message from Internet safety consultant Charles Conway*, speaking to representatives of the Welsh Assembly, voluntary organisations and churches from across Wales at the Flintshire Gweini Conference** in Mold on Friday (21st October).

Quoting the latest OFCOM media literacy survey, he said that whilst up to 70% of parents say that they know less about the Internet than their children, only 37% have taken the most basic steps to protect their kids from Internet related threats such as cyberbullying, inappropriate content and grooming.

According to Conway, a consultant with Wrexham based e-safety training firm Clear as Crystal Training and the editor of popular scam awareness website Scam Detectives, the key to keeping kids safe online is for their parents to understand how they use Internet connected technologies, and to become more aware of what risks they face when they do get online.

Following pressure from Internet Safety Consultant Charles Conway, a “dangerous” loophole in popular social game Pet Society has been closed.

Addressing a group of foster carers and social workers in North Wales last month, Internet Safety trainer Charles Conway from Clear as Crystal Training highlighted a potentially dangerous loophole in the popular Facebook game Pet Society which meant that players of all ages were rewarded for adding complete strangers to their Facebook friends list, putting them at risk of grooming and other forms of inappropriate contact.

To demonstrate the risk, Charles took his pet “BunnyPig” to a social area of the game, the “Pet Society Cafe”, where other pets were sitting round drinking coffee and socialising. A large poster on the wall encouraged him to “CLICK ON A PET TO VISIT THEIR HOUSE” and Charles selected one at random, a purple cat in a fetching stetson and cowboy boots.

“By visiting this pet, I’m earning coins to spend in the game” he explained. “I can also earn extra points by leaving the pet a small gift, such as a frisbee, football or other toy, enclosing a note at the same time. Again, this seems like harmless fun as long as the pet I’m visiting belongs to one of my “real life” friends, but in this instance, it doesn’t. This pet belongs to a complete stranger, and by clicking on an icon on the screen I can visit that person’s Facebook profile, see their profile picture and “add” them as a friend, bringing their pet into my pet’s ‘village’ so I can visit them again and earn more coins. Unfortunately, by adding this person as a friend, we don’t only become connected in “Pet Society”, but on Facebook as a whole, so this person can then send me private messages, see when I’m online for chat sessions and view everything on my profile including photographs of me, my family and my friends. Bearing in mind how attractive this games are to kids, the risk of inappropriate contact becomes very obvious. It also starts to explain how parents can find that instead of the 50 or 60 close friends that they know in ‘real life’, their child has a Facebook friend list that numbers in the hundreds or even thousands”

On October 3rd, social gaming website Games.com reported on Charles’ concerns about this feature in this article

Playfish have yet to comment publically, yet sometime between the publication of this article and yesterday, they quietly removed the “Go to Profile” link from the game.

Charles is understandably pleased at this latest development.

“This is fantastic news, and makes the game safer for every one of it’s 6.5 million monthly users” he said today. “It shows that Playfish have listened and reacted positively to what was a potentially dangerous situation. I applaud them for stepping up and taking the safety of their users seriously.”

Playfish isn’t quite off Charles’ radar yet though. This week he’s brought another of their games into the spotlight, accusing the company of rewarding players for having “cybersex” with virtual cash in the hugely popular Sims Social game.

Internet safety consultant Charles Conway accuses popular Facebook game “The Sims Social” of rewarding kids for engaging in underage “cybersex”.

“Create unique Sims and live out their dreams—or stir up trouble by pulling pranks. Develop deep relationships to unlock new features and advance: befriend and fight, date and cheat, love and betray. Play with life in a whole new way—with your real friends, for free!”

That’s the hype on the latest version of Electronic Arts’ popular “Sims” franchise, bringing the game to Facebook in the form of “The Sims Social”.

On the face of it, the game looks like fun. Players can create an online alter-ego, build a house, buy furniture, take care of their personal hygiene needs and socialise with other players. By building your character’s social life, you earn points which help you to unlock new features, buy more stuff for your character and advance in the game environment.

Charles Conway, a consultant at Internet safety training firm Clear as Crystal Training and the editor of online security website Scam Detectives says that the personal relationships that can develop between players should give parents cause for concern.

“When playing “Sims Social” players can interact with other users in a lot of different ways, but they are rewarded for entering into romantic relationships with other players. These romantic relationships can develop quickly into sexual relationships, with options to have sex in different locations, including the bedroom and the shower. Sex between players is rewarded with “social points” which are then used to advance within the game environment” he said yesterday

Charles has some tough questions for the game’s developers, who he says should restrict access to more adult features of the game to “adults only”.

Even if Facebook did verify the age of it’s users (which it doesn’t), at what age does it become acceptable for a child to engage in “virtual sex” for rewards? Does it ever become acceptable? Isn’t sex for rewards the very definition of prostitution?

How is playing this game different to children having “cybersex” in a chatroom?

Doesn’t encouraging and rewarding sexualised behaviour between “avatars” encourage underage “offline” relationships of an inappropriate nature?

Is there a risk of bullying when two players enter into a same sex relationship?

Shouldn’t sexual activity within the game environment be restricted to those who are at or above the legal age of consent for “real life” sex?

“I’m also very concerned about the opportunities this game opens up for online grooming” said Charles.

“When 40% of kids admit that they have Facebook “friends” that they don’t know in “real life”, there’s a real risk of a predator using a game like this to build a relationship with a child that could lead to real world abuse. Paedophiles rely on their ability to break down a child’s inhibitions and get them to talk about sex, which is why we as parents teach our kids that talking about sex in the online space is not acceptable. So why does a game like this actually enable children to explore sexual relationships without warning of the dangers?”

In conclusion Charles says that, whilst parental control and supervision is vitally important to online safety, online content developers have to play their part too.

“By restricting access to this game to over 18′s, or at the very least creating a “child friendly” version of the game that does not allow sexual relationships, Playfish and Electronic Arts could demonstrate a commitment to keeping teens safe online. By not doing so, they’re potentially putting kids at risk of grooming, cyberbullying and confusion about where “real world” boundaries lie”.

Editors Note: We’re waiting for a response from Electronic Arts and we’ll update this article when we receive it

Another very clever social engineering scam attempting to trick you into downloading a virus to your computer.

You’ll see that the email uses my full name, but the URL is spoofed. The actual url linked to is “yesasia-payment-service.com/[removed]” which attempts to download a zip file apparently containing your invoice.

It’s a clever one, and I’m afraid that lots of people will be taken in by it.

If you receive any order confirmation for an order you haven’t placed, DO NOT click on the link, but check with your credit card provider to make sure you haven’t been a victim of online fraud. Chances are you haven’t, but it’s better to be safe than sorry.

Just a quick note to let you know about an email we received at Scam Detectives HQ this morning.

“Verified by Visa” works by requesting a password every time you use your Visa credit or debit card to make a payment online.

This phishing email tries to trick users into giving up both their card details and their “verified” password so they can bypass the system.

VISA would NEVER contact you in this way to ask you to change your password.

Delete the email immediately.

“Stranger Danger” is one of the first lessons children are taught. At home and at school, the message that if they are approached by anybody they don’t know offering sweets, a lift home or the opportunity to go back to their house to meet cute little puppies or kittens, our kids should run to the nearest available safe adult and ‘tell’ is drummed into them from almost the moment they learn to speak.

Now that almost every household in the UK has access to an “always on” Internet connection, we repeat this message to our children, substituting playgrounds and school gates for chatrooms and discussion forums. Strangers are bad, and our children shouldn’t talk to them. Parents take care to ensure that their home computers are in a public area of the house, so they can see what their kids are doing when they’re online and help them to safely experience the world of knowledge and opportunity that the world wide web has opened up for them.

When you look over your child’s shoulder and see them interacting with an online “virtual pet”, farming crops to sell in virtual markets or creating their own city with shopping malls, office blocks and restaurants on Facebook it all looks innocent, cute and harmless and after all, they’re playing video games, where’s the risk?

But is it harmless?

Speaking to a group of foster carers and social workers in North Wales on Thursday, online safety expert Charles Conway used the popular game “Pet Society” as an example of how children are being encouraged to interact with complete strangers in exchange for “virtual cash” and other rewards.

“When you start playing the game, you adopt a cute little animal character, choose a name for it and find a house for it to live in” explained Charles. “Then, in order to progress in the game, you have to earn “virtual coins” to buy clothes, furniture, toys for your character to play with, soap, washing powder, food and other accessories. One of the ways to earn this “virtual cash” is to visit other pets in their homes, and every time one of your Facebook friends joins the game, their pet “moves in” next door to yours, so your pets can visit each other, exchange gifts and messages and interact even while their “owners” are not logged into the site. Each time your pet visits one of it’s neighbours, plays a game with them or leaves them a gift, you earn more coins to spend in the “virtual shops”.

One carer asked “But how does that put any kids at risk? They’re only playing the game with people they already know, aren’t they?”

To demonstrate the risk, Charles took his pet “BunnyPig” to a social area of the game, the “Pet Society Cafe”, where other pets were sitting round drinking coffee and socialising. A large poster on the wall encouraged him to “CLICK ON A PET TO VISIT THEIR HOUSE” and Charles selected one at random, a purple cat in a fetching stetson and cowboy boots.

“By visiting this pet, I’m earning coins to spend in the game” he explained. “I can also earn extra points by leaving the pet a small gift, such as a frisbee, football or other toy, enclosing a note at the same time. Again, this seems like harmless fun as long as the pet I’m visiting belongs to one of my “real life” friends, but in this instance, it doesn’t. This pet belongs to a complete stranger, and by clicking on an icon on the screen I can visit that person’s Facebook profile, see their profile picture and “add” them as a friend, bringing their pet into my pet’s ‘village’ so I can visit them again and earn more coins. Unfortunately, by adding this person as a friend, we don’t only become connected in “Pet Society”, but on Facebook as a whole, so this person can then send me private messages, see when I’m online for chat sessions and view everything on my profile including photographs of me, my family and my friends. Bearing in mind how attractive this games are to kids, the risk of inappropriate contact becomes very obvious. It also starts to explain how parents can find that instead of the 50 or 60 close friends that they know in ‘real life’, their child has a Facebook friend list that numbers in the hundreds or even thousands”

“We’re busy telling our kids you MUST NOT talk to strangers online and you MUST only connect with people you know in real life” he went on. “Despite this, by allowing games such as Pet Society, FarmVille, CityVille and Mafia Wars to gather massive numbers of players on their website, Facebook is creating a false sense of security. Whilst parents see their children playing in what looks like a child friendly environment, these children are actually being rewarded for adding strangers as ‘friends’, allowing them access to their own friend list, their personally identifiable information (such as their home town and where they go to school) and everything that they share online. Paedophiles deliberately target online spaces which are popular with kids and this type of game is an ideal opportunity for them to find targets for grooming. When you consider that 25% of 8-12 year olds admit to using Facebook in contravention of the ‘over 13’ age-limit, the risk becomes even more evident.”

In conclusion, Charles said “Facebook founder Mark Zuckerberg once said ‘If Facebook were a country, it would be the 6th largest country in the world’. Based on current figures, it would now be the 3rd largest country, with a population of over 500 million people. The Government of such a country would have a responsibility to keep it’s citizens safe from the worst elements of society, and it’s time Facebook took that responsibility on board and realised the dangers inherent in exposing our children to the risk of becoming socially ‘connected’ to murderers, rapists and paedophiles, instead of rewarding them for doing so.”

PLEASE be aware of a telephone scam that has re-emerged over recent days.

I’ve just had a call purporting to be from my bank informing me of a “recent High Court judgement” forcing banks to repay charges and asking for my debit card details so they can credit my account. There has been no such judgement and the scammers are simply after your debit card details so they can drain your account.

Funnily enough, when I informed the caller that he was speaking to the editor of this site and asked for a comment for our readers, he hung up!

NEVER give your card details to anyone who calls you claiming to represent your bank or anyone else. If you think there may be a genuine reason for them asking, call the customer service number printed on your statement. Be careful out there….

I was contacted recently by James, who asked me to tell his Grandma’s story to help others avoid being taken in by a cruel scam targeting grandparents all over the World.

James’ Grandma is 75 years old and lives alone. Generous and kind-hearted, she dotes her grandchildren and would do anything for them.

That’s why when she received a phone call purporting to be from James, she was only too glad to help. The conversation went something like this:

“Hi, Grandma? I’m in a bit of trouble…”

“Is that you James? What’s happened?”

“Yeah, it’s James. I’m on holiday in Spain with my mates and, well, things got a bit rowdy last night. I’ve been arrested and need some money to get out of jail. I can’t ring Dad, he’ll kill me!”

To cut a long story short, “James” went on to explain that he needed £1200 so his lawyer could get him out of jail while the British Consulate sorted everything out.

Grandma sent the money by wire transfer just as soon as she could get to the bank and called James’ lawyer to confirm the transaction number.

She only realised that she’d been the latest victim of the “Grandparent Scam” when James popped round for a coffee only two hours after she got back from the bank. By that time, it was too late. The wire transfer had been collected and her money was gone. The police have been informed, but there’s little chance that the fraudster will ever be found. According to the wire transfer service, although Grandma sent the money to a recipient claiming to be in Madrid, the money was actually collected in Lagos, Nigeria.

So how did the scam work?

Scammers target elderly people at random, hoping that they’ll strike it lucky. Without giving a name, they rely upon the victim to provide information which will help them to continue the deception. In this case, Grandma asked “Is that you James?” which confirmed that she had a grandson and gave the scammer a name to work with. Then it was simply a case of spinning a story convincing enough to persuade Grandma to send cash.

How can you avoid being ripped off?

If you receive a phone call from anyone claiming to be a family member, ask them to confirm their name before you get involved in a conversation. The chances are, if they’re not genuine, they’ll terminate the call immediately. Even if they do give a name that means something to you, don’t assume that everything is as it should be. Take a telephone number to call them back on, then get in touch with other family members who can confirm (or otherwise) that the story is for real. You’ll soon find out if your grandchild is in trouble or not, and could save yourself a packet!

Please, if you have elderly relatives or friends, give them a copy of this article and help them to stay safe from scammers.