QR Phishing Scams Gain Motorized Momentum in UK

Source: Westend61 GmbH via Alamy Stock Photo

In what seems to be an increasingly popular method of attack, two threat groups have been identified as utilizing QR code parking scams in the UK and throughout the world.

The researchers at Netcraft believe that one of the groups is active across Europe, especially in France, Germany, Italy, Switzerland, and the UK. According to initial reports of the threat, threat actors trick unsuspecting victims into scanning malicious QR codes and entering their personal information. And the damage doesn’t stop there — ultimately, because the QR codes are fake, users aren’t registering their cars for parking, meaning that they’re likely to be hit with a double whammy: potential financial fraud and a parking ticket.

The threat first came to public notice in August when British car insurer RAC published a warning advising drivers to be vigilant and only pay with card, cash, or official parking apps already installed on their phones. The potential victim count so far is roughly 10,000 within just a two-month span, according to their report released today.

The scams are gaining so much traction that they’re stretching beyond Europe, to Canada and the United States, prompting the FBI to issue alert number I-011822-PSA, “Cybercriminals Tampering with QR Codes to Steal Victim Funds,” to bring awareness to an issue they suspect will only continue to grow.

No-Parking Zone

In the United Kingdom, it first began with what the researchers called a “wave of malicious QR codes appearing across the city center” of London. The fake QR codes would be found printed on adhesive stickers and posted on parking meters. After scanning the QR code, the user turned victim would be directed to a phishing website impersonating a legitimate parking payment app, PayByPhone.

The scams spread across Britain, and peaked from June to September, with the threat actors were getting traction with, or perhaps specifically targeting, tourists in areas such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen.

With roughly 30 parking apps currently being used in the UK, these criminals are likely to find success preying on tourists who need to access public parking with easy and accessible payment options.

And though the current research focuses on how these schemes impact parking and tourists in particular, Robert Duncan, vice president of product strategy at Netcraft, stresses to Dark Reading that the threats carry risk in business context, pointing out a rash of corporate Microsoft 365 “quishing” attempts that exploited corporate users who used their own devices, thus excluding them from the enterprise’s security perimeter and leaving them open to any potential threats.

PayByQuish?

One criminal group using these methods is specifically impersonating PayByPhone, and follow a series of steps to execute their scam.

First, the threat actor “deploys boots on the ground resources” to set up the attack and affix the QR codes to parking payment machines, Duncan explains. Next, the victims scan the malicious, fake QR code and are unknowingly directed to a phishing website. The victim then follows the steps to enter their personal details: the parking lot location code, their vehicle details, parking duration, and lastly — and most damaging — their payment-card details.

Once this is completed, the website will display a “processing” page to simulate the legitimate user experience. The payment is then “accepted,” and the phishing website confirms the entered details before directing the victim to the real PayByPhone website.

According to the researchers, in some cases the phishing group sends the victim to a failed payment page, asking them for an alternative payment method. This only exacerbates the issue by collecting more card info and further adding to the funds that the threat actors can steal from.

Evading criminal groups’ schemes seems a difficult task when it presents itself so well as a legitimate operation. But the researchers have found that there are certain markers that can help potential victims detect a scam. For instance, 32 domain names with the same scam all displayed the following characteristics:

1. Registered with NameSilo.

2. Using .info, .click, .live, .online, and .site top-level domains (TLDs) rather than .com or common country-specific TLDs.

3. The sites appeared to be protected by Cloudflare.

How Businesses Can Avoid the Quish Hook

As these kinds of threat continue to grow, and possibly develop into new business sectors (such as quishing threats infiltrating restaurants or retail stores), Duncan notes that it won’t be easy to defend against.

“It’s quite difficult for businesses to defend against rogue QR codes being placed over existing ones,” he says. “It’s also harder to protect customers using mobile devices who may not have as many built-in security measures as on desktop devices. In this case, an online brand protection platform with broad URL-based threat intelligence with QR code support can help.”

Ultimately, Duncan says, there is no foolproof solution to preventing these threats as “both fake and legitimate QR codes often use URL shorteners, which makes it very hard to tell apart.” Instead, he recommends that users avoid scanning QR codes and instead look up parking apps in official app stores.

“There’s a lot of potential for QR code misuse,” he adds. “You’re often on a mobile device, where controls can be weaker. Watch this space.”