[wila]

The idea they are talking about is most like the scenario where malware throws up a fake BSOD with its own QR code.

The user then scans the QR code to open a link to the microsoft website with more details about the BSOD.

Except the QR code is fake and it opens a page that is targeted to infect your phone/tablet.

Now 2 devices are infected. Yay

[Someone1234]

Seems pretty convoluted to the point of absurdity.

If your threat model automatically assumes links are directly proportionate to infections then you're already screwed since getting a user to click a link is insanely easy, and if you had a link that would infect mobile devices you'd likely just drop it on a few news aggregators rather than go through this mess.

Threat modeling is about evaluating the risks, including how realistic they are. Your risk model is just unrealistic, you're now infecting PCs with malware for the sole purpose of generating a fake BSOD, which in turn creates a link, which in turn infects mobile devices. Why even infect PCs in that scenario? Seems much MUCH easier to trick mobile users into clicking links OR redirecting them (e.g. AD hijacking).

If you really wanted to attack mobile devices from an infected PC you'd likely use their direct USB connection, seems like a much more reliable route. Also may accomplish infections not normally possible from a simple link.

[justsaysmthng]

Not absurd at all. The malware infects the PC and does its bad thing. After it's finished doing the bad stuff, it creates a full screen window which looks just like a BSOD screen with the QR code containing the attacker's URL.

User scans the QR code and navigates to that URL. Now he thinks he's on microsoft.com and will readily hand over his Microsoft credentials.

When you have Bitcoin, bank accounts, credit cards, etc as potential rewards, bad guys can (and do) get quite creative..

[kabdib]

Oh man, you have no idea what the state of security is, or how persistent attackers are. This is definitely not absurd. In fact, I'll bet that attackers are writing code for this right now.

I've encountered Bad Guys who happily walk users through enabling Debug mode on their Android devices (requires a bunch of gyrations and scary dialogs). Many users are absolutely clueless about security, and will follow instructions in pursuit of !!Free Stuff!!. It's amazing.

Putting a QR code that takes your phone to some unpredictable site on the internet is a really, really bad idea. Even if you think your mobile platform is secure today, there will be zero-day exploits in the future, and malware authors will use this vector.

[Someone1234]

> Oh man, you have no idea what the state of security is, or how persistent attackers are.

It is only my day job...

You also forgot to explain why, if you had a link which auto-infects a mobile device, that you wouldn't just post the link on Twitter/Reddit/HK/etc rather than infect PCs and then "trick" users into going to the link.

If you're going to spend the time and money it takes to create PC malware, you're going to want specific value from that infection in and of itself. Meaning information theft, botnet member, spam proxy, etc, by using this BSOD route you're likely to expose your PC implant and lose the value there.

> Putting a QR code that takes your phone to some unpredictable site on the internet is a really, really bad idea.

So is clicking a link on Hacker News, but I bet you've done it dozens of times in the last hour.

> Even if you think your mobile platform is secure today, there will be zero-day exploits in the future, and malware authors will use this vector.

And by "this vector" you mean a link, on the internet? Again explain why this is a bigger threat than email/Reddit/Hacker News/Twitter/etc. Or heck explain why AD redirects aren't a threat?

[vezycash]

It's obvious you've been using ad blockers for years. Turn it off for a few days and you'll see a bunch of malware Ads mimicking anti virus warnings with words like 'Scan your computer for viruses' or "1789 viruses found on your pc, click here to remove them"

>>explain why this is a bigger threat than email/Reddit/Hacker News/Twitter/etc.

Trust. A fake email that looks like its from your bank directing you to a website that looks like your bank's site is usually successful

In the same vein, an attacker utilizing trust and habit can gain access to your email account or/and get you to install anything

Of course "you" won't be fooled but many others will be

[ashitlerferad]

You're not thinking like an attacker who is trying to get to a specific target (such as Obama's iMessages).

[dpark]

What stops malware from doing this already? If your PC is compromised, what stops it, today, from popping up a message that says, "hey, open this url on your phone to [fix your registry|enter this contest|get free porn|pay our ransom|whatever]"?

No new attack vector was created by adding QR codes to BSODs. Most people aren't going to scan the QR code anyway, for the same reason they didn't search for the error codes: they done know what to do with the info. They will restart the machine and eventually call a friend/relative/tech support for help.

[DanBC]

> Seems pretty convoluted to the point of absurdity.

I dunno, trojan diallers and phishing seem pretty convoluted to me.

Mobile phones are a major target for attack in the UK at the moment.

[Someone1234]

I don't really understand what it is you're getting at.

It is convoluted because a PC infection is unnecessary in that scenario. You could skip it and accomplish the same thing.

[kabdib]

Phones contain valuable data, too.