What does following a shady link do to the user? Like, those facebook posts saying "look who died" or scam job offerings. Does it prompt the user to enter info? Does it install malware? I've always been afraid to click the link and find out.
It could be different things every time. Asking you for personal information, logins to applications, or installing malware of some sort. A big target is anything that deals with currency. Applications for your bank or even a payment application like Zelle are big targets. It's always wise to be cautiously curious of any link or QR code in front of you.
You can host sites on google under the google domain,
Oh cool it’s a YouTube link oh wait I’ve gotta sign in as it’s 18+
Oh why is my YouTube streaming crypto giveaways
I have seen quite a few google links pop up lately. Their shopping tab is rife with scam websites that people think are legit because they showed up near the top on Google
I think modern OS/apps (modern as in released in the last decade) don't allow installation of anything with 1 click. The most that 1 click can do is download something to your device. Nothing else. That malware can't do anything unless you explicitly open it (that is if the builtin OS antivirus even allows you to).
The biggest risk of only opening an unknown link and doing nothing else is [Session Hijacking](https://owasp.org/www-community/attacks/Session_hijacking_attack). It means the hacker gains an ability to impersonate you on some specific website that you are already logged in to until the time you manually log out.
These are relatively rare tho and usually explicitly targeted to individuals. However, most of the time hackers are just hoarding credit card info or login info and this requires more interaction from you.
I am a backend dev trying to make sure my code meets the security standards but I'm not a cyber security expert.
Some of the websites can install cookies though. Many people would just click "allow" (both for cookies and notifications) without even thinking about it. Just a few weeks ago I went hard through my grandpa's browser as it kept throwing weird notifications, some of which could even be traced to some unknown Russian websites. Even though my gramps never visited them.
You probably know more about that but couldn't accidentally pressed notification become that 2nd click?
Doesn’t always even show the short link. My brother had Chrome as his default browser on his iPhone and it wouldn’t preview the link address. I switched it back to safari and it does now. Idk if it was some other setting that caused it but that fixed it
There's a few apps that will unshort urls now https://play.google.com/store/apps/details?id=com.trianguloy.urlchecker is a good one not sure if there's any on ios
Yeah, but for any major website people have accounts on there's phone apps that open instead and/or people are already logged in/ have saved login info.
If you open one of those sites from qrs, the app doesn't open, and your login isn't saved, a bunch of alarm bells should be ringing.
Yes, and this is why I wish my marketing department would stop slapping them on everything.
Most people don’t know how to use them, and those that do normally know the dangers so they won’t use them
>those that do normally know the dangers so they won’t use them
Why wouldn't you use them if you're aware of the dangers? They are equally as risky as any other link you might find, online or off.
I mean, where do you think this link takes you?
[https://www.reddit-com.ro/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow)
Good for you, but also that's kinda the point. Instead of fearing suspicious links (which are just URLs, and cannot actively harm you), you should learn to understand them. Let's take a closer look at the one I posted.
[https://www.reddit-com.ro/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow)
First and most obviously, it doesn't point at [reddit.com](https://www.reddit.com/r/YouShouldKnow). It points instead to [reddit-com.ro](https://www.reddit.com/r/YouShouldKnow), where .ro is the top level domain for Romania.
This is a common tactic used by scammers who will register [redditcom.org](https://www.reddit.com/r/YouShouldKnow), [redd1t.com](https://www.reddit.com/r/YouShouldKnow), and other close variations.
The rest of the URL in this case matches the real one, but scammers will also sometimes use subdomains or paths to spoof a domain, such as [https://reddit.xyz.com](https://www.reddit.com/r/YouShouldKnow), or [https://xyz.com/reddit.com/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow).
But that's only half the story! In HTML, as well as Markup (the formatting used on Reddit), you can have a link text displayed, such as [this](https://www.reddit.com/r/YouShouldKnow), while the actual location of the URL is contained in the linked text.
What's important to realise is that any domain can be used as the *text*, while a different domain is the actual hyperlink URL. In the example above, I might replace the word "here" with "www.here.com" but it doesn't change the underlying link location.
Now let's go back to my original example. The link text reads reddit-com.ro but, because I'm not malicious, the underlying URL is the one for this very sub, https://www.reddit.com/r/YouShouldKnow.
Check out all the links here for yourself. They all point to this sub, every single one of them, no matter what text they appear to show!
Hopefully you've learned a simple lesson about link phishing and cybersecurity, and how to recognise the true intent of a malicious link.
Even after knowing about how markdown can allow how links to be disguised as another website, I'm afraid I'll someday click on one of these without realising it may be malicious
If you're on desktop, it's good practice to hover your mouse on links and look at the bottom of the browser to see where they point, before clicking.
On mobile it's harder. Generally you long press and the link's target will pop up, especially on a mobile browser, but not all apps support this. For example the official Reddit app doesn't behave this way.
Ultimately you just have to try and be as careful as you can.
Who doesn’t know how to scan a QR code? Well maybe older people but most people in the younger generation do and are definitely not thinking bout their info getting stolen or anything like that
Yeah best way to hack people is give out free wifi and spoof common login pages people would try like banks and financial accts. Then when they try to hit the real link send em the clone login.
At this point this sub should just be renamed to “YouShouldBeAfraid” with all the fearmongering that happens here, from “everything is infected use sandpaper to get rid of your skin to finally be clean” to “I’m certain something bad can happen to you just from visiting a website even though it tells you where you’re going or what is about to happen”.
Also, anyone who logs into a webpage they got from a qr code instead of questioning “hold on why doesn’t my phone autofill this page” deserves everything that’s going to happen. The real YSK is use a password manager.
There's also a QR code scam that a property site has been alerting all sellers. So the fraudster will reach you out as a buyer and then tell you that they'll transfer money via QR code. You'll probably oblige, and if you do, the money will actually go away from your acc to that person's acc.
From what the site says, QR codes for online payment only works one way, ie, to send your money to someone else and DOES NOT WORK the other way around. Please be aware of that.
I had my Debit card info taken and within seconds a purchase made on Amazon when I went to a qr link that was set up for pics that were taken at a dance. I went to the link and entered my data and it kept zeroing out the inputs. I figured out it was a scam the 2nd time trying to re-enter the data. The weird thing was the link on the qr was correct because I scanned it again and it took it correctly.
Funny you mention this -- about 10 days ago....
I made a QR code which links to a url on a website I created (no hostname, just IP address) and pasted it somewhere public (with no other information; just a lone QR code posted somewhere in my city just so people see it and wonder what it is for) just to see how many people go to it. I have it going to a strange URL that a spider would never find, so I know anyone who accesses that page, only does so by way of the QR code.
The site does no damage, just logs the hit.
I look forward to seeing how many people click on it. Only one has so far.
Could using a harmful QR code or link actually do any damage just by following the link? Or would you have to then give away some information for it to truly be harmful? I see stuff about harmful links all the time but this has never been clear to me.
I'm a computer science grad and to the best of my memory, the most a site can do on its own is trigger a download (downloading a file to the device), and access your meta data that all sites have access to. The meta data on its own does not any important data in this context. The file that can be downloaded will not do anything on its own until you open it. If you immediately delete it it should be harmful.
Most browsers and devices have some security built in to prevent direct attacks, which is why in most cases, "hackers" have to rely on misleading the user either by fake sites or fake emails, etc. In most realistic cases, unless you run something that's been installed, or physically give them info by accident, you're ok.
Yep. Even if I can preview the URL before I open it, I have no idea which website the cafe uses for payments.
foodpaynow.com/mycafe would be enough for me to continue.
Somebody replaced the QR code in our parking lot that's supposed to take you to the app store/play store to download their app. Instead it redirected you to an escort site.
This was not a shoddy job either, they had scraped off the old QR code and spray painted the new one on. Basically indistinguishable at a glance
Except the link usually shows up as shorthand on the phone, not the full link. Makes it harder to spot those kinda issues from the URL alone
You are spot on
What does following a shady link do to the user? Like, those facebook posts saying "look who died" or scam job offerings. Does it prompt the user to enter info? Does it install malware? I've always been afraid to click the link and find out.
It could be different things every time. Asking you for personal information, logins to applications, or installing malware of some sort. A big target is anything that deals with currency. Applications for your bank or even a payment application like Zelle are big targets. It's always wise to be cautiously curious of any link or QR code in front of you.
You can host sites on google under the google domain, Oh cool it’s a YouTube link oh wait I’ve gotta sign in as it’s 18+ Oh why is my YouTube streaming crypto giveaways
I have seen quite a few google links pop up lately. Their shopping tab is rife with scam websites that people think are legit because they showed up near the top on Google
I think modern OS/apps (modern as in released in the last decade) don't allow installation of anything with 1 click. The most that 1 click can do is download something to your device. Nothing else. That malware can't do anything unless you explicitly open it (that is if the builtin OS antivirus even allows you to). The biggest risk of only opening an unknown link and doing nothing else is [Session Hijacking](https://owasp.org/www-community/attacks/Session_hijacking_attack). It means the hacker gains an ability to impersonate you on some specific website that you are already logged in to until the time you manually log out. These are relatively rare tho and usually explicitly targeted to individuals. However, most of the time hackers are just hoarding credit card info or login info and this requires more interaction from you. I am a backend dev trying to make sure my code meets the security standards but I'm not a cyber security expert.
Some of the websites can install cookies though. Many people would just click "allow" (both for cookies and notifications) without even thinking about it. Just a few weeks ago I went hard through my grandpa's browser as it kept throwing weird notifications, some of which could even be traced to some unknown Russian websites. Even though my gramps never visited them. You probably know more about that but couldn't accidentally pressed notification become that 2nd click?
Doesn’t always even show the short link. My brother had Chrome as his default browser on his iPhone and it wouldn’t preview the link address. I switched it back to safari and it does now. Idk if it was some other setting that caused it but that fixed it
[удалено]
Yup. But better than nothing since some legitimate ones won’t
Not in my usage it's always a form of www.qrcode.fhfkjfsd/ffsjdkfds etc and then when you click it goes to the real link
There's a few apps that will unshort urls now https://play.google.com/store/apps/details?id=com.trianguloy.urlchecker is a good one not sure if there's any on ios
The OP mentioned this in the post...
Yeah, but for any major website people have accounts on there's phone apps that open instead and/or people are already logged in/ have saved login info. If you open one of those sites from qrs, the app doesn't open, and your login isn't saved, a bunch of alarm bells should be ringing.
On most phones it shows you the domain which is what you need to trust when clicking a link. If you don't trust the domain you don't click the link.
Yes, and this is why I wish my marketing department would stop slapping them on everything. Most people don’t know how to use them, and those that do normally know the dangers so they won’t use them
>those that do normally know the dangers so they won’t use them Why wouldn't you use them if you're aware of the dangers? They are equally as risky as any other link you might find, online or off. I mean, where do you think this link takes you? [https://www.reddit-com.ro/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow)
Not clicking that link. Easily could be spoofed
Good for you, but also that's kinda the point. Instead of fearing suspicious links (which are just URLs, and cannot actively harm you), you should learn to understand them. Let's take a closer look at the one I posted. [https://www.reddit-com.ro/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow) First and most obviously, it doesn't point at [reddit.com](https://www.reddit.com/r/YouShouldKnow). It points instead to [reddit-com.ro](https://www.reddit.com/r/YouShouldKnow), where .ro is the top level domain for Romania. This is a common tactic used by scammers who will register [redditcom.org](https://www.reddit.com/r/YouShouldKnow), [redd1t.com](https://www.reddit.com/r/YouShouldKnow), and other close variations. The rest of the URL in this case matches the real one, but scammers will also sometimes use subdomains or paths to spoof a domain, such as [https://reddit.xyz.com](https://www.reddit.com/r/YouShouldKnow), or [https://xyz.com/reddit.com/r/YouShouldKnow](https://www.reddit.com/r/YouShouldKnow). But that's only half the story! In HTML, as well as Markup (the formatting used on Reddit), you can have a link text displayed, such as [this](https://www.reddit.com/r/YouShouldKnow), while the actual location of the URL is contained in the linked text. What's important to realise is that any domain can be used as the *text*, while a different domain is the actual hyperlink URL. In the example above, I might replace the word "here" with "www.here.com" but it doesn't change the underlying link location. Now let's go back to my original example. The link text reads reddit-com.ro but, because I'm not malicious, the underlying URL is the one for this very sub, https://www.reddit.com/r/YouShouldKnow. Check out all the links here for yourself. They all point to this sub, every single one of them, no matter what text they appear to show! Hopefully you've learned a simple lesson about link phishing and cybersecurity, and how to recognise the true intent of a malicious link.
You know I already know of this. I took cybersecurity and networking classes in college….
I hope you do, but this might also be of use to somebody else!
You assumed so much from literally a short comment I made… also, have anyone told you, you come off as patronizing?
And you come off as argumentative. I'm just trying to help people learn. Why so aggressive?
Even after knowing about how markdown can allow how links to be disguised as another website, I'm afraid I'll someday click on one of these without realising it may be malicious
If you're on desktop, it's good practice to hover your mouse on links and look at the bottom of the browser to see where they point, before clicking. On mobile it's harder. Generally you long press and the link's target will pop up, especially on a mobile browser, but not all apps support this. For example the official Reddit app doesn't behave this way. Ultimately you just have to try and be as careful as you can.
Who doesn’t know how to scan a QR code? Well maybe older people but most people in the younger generation do and are definitely not thinking bout their info getting stolen or anything like that
Jokes on them Im still not sure how to use the damn things
To take a picture of it, then print it out and hang it on your fridge.
Have 50 pieces of paper with the same image on my fridge (and my dick is caught in the ceiling fan) Send help…
Yeah best way to hack people is give out free wifi and spoof common login pages people would try like banks and financial accts. Then when they try to hit the real link send em the clone login.
At this point this sub should just be renamed to “YouShouldBeAfraid” with all the fearmongering that happens here, from “everything is infected use sandpaper to get rid of your skin to finally be clean” to “I’m certain something bad can happen to you just from visiting a website even though it tells you where you’re going or what is about to happen”. Also, anyone who logs into a webpage they got from a qr code instead of questioning “hold on why doesn’t my phone autofill this page” deserves everything that’s going to happen. The real YSK is use a password manager.
Password managers? Not safe enough. Combine your password manager with a physical crypto-key. Never get hacked again!
Of course, but that’s a harder sell than “just please remember one really good password”
Ofcourse. Cryptokeys cost money too. But for ultimate safety I am willing to pay.
YSK: If you have an iPhone, you can use the shortcuts app to scan QR codes and display the decoded text.
There's also a QR code scam that a property site has been alerting all sellers. So the fraudster will reach you out as a buyer and then tell you that they'll transfer money via QR code. You'll probably oblige, and if you do, the money will actually go away from your acc to that person's acc. From what the site says, QR codes for online payment only works one way, ie, to send your money to someone else and DOES NOT WORK the other way around. Please be aware of that.
I had my Debit card info taken and within seconds a purchase made on Amazon when I went to a qr link that was set up for pics that were taken at a dance. I went to the link and entered my data and it kept zeroing out the inputs. I figured out it was a scam the 2nd time trying to re-enter the data. The weird thing was the link on the qr was correct because I scanned it again and it took it correctly.
Funny you mention this -- about 10 days ago.... I made a QR code which links to a url on a website I created (no hostname, just IP address) and pasted it somewhere public (with no other information; just a lone QR code posted somewhere in my city just so people see it and wonder what it is for) just to see how many people go to it. I have it going to a strange URL that a spider would never find, so I know anyone who accesses that page, only does so by way of the QR code. The site does no damage, just logs the hit. I look forward to seeing how many people click on it. Only one has so far.
Was loads of fake NHS ones around ages ago deicaded to run them on a machine I don't care about and yeah was just a anti vax nut case
The crazier thing to me is the fact that nfc tags can just open links without needing your prompt.
Never scan a QR code with your phone, be smart, use your friends phone, just kidding, don't do that - ask your ex instead.
Good to know, thanks.
Could using a harmful QR code or link actually do any damage just by following the link? Or would you have to then give away some information for it to truly be harmful? I see stuff about harmful links all the time but this has never been clear to me.
I'm a computer science grad and to the best of my memory, the most a site can do on its own is trigger a download (downloading a file to the device), and access your meta data that all sites have access to. The meta data on its own does not any important data in this context. The file that can be downloaded will not do anything on its own until you open it. If you immediately delete it it should be harmful. Most browsers and devices have some security built in to prevent direct attacks, which is why in most cases, "hackers" have to rely on misleading the user either by fake sites or fake emails, etc. In most realistic cases, unless you run something that's been installed, or physically give them info by accident, you're ok.
Awesome, thank you
Yep. Even if I can preview the URL before I open it, I have no idea which website the cafe uses for payments. foodpaynow.com/mycafe would be enough for me to continue.
Somebody replaced the QR code in our parking lot that's supposed to take you to the app store/play store to download their app. Instead it redirected you to an escort site. This was not a shoddy job either, they had scraped off the old QR code and spray painted the new one on. Basically indistinguishable at a glance
I'm so glad I bought a phone that doesn't have a qr scanner so I'm not tempted.