This article explores Netcraft’s research into the recent surge in QR code parking scams in the UK and around the globe. Insights include:
Earlier this month, RAC issued an alert for UK motorists to beware of threat actors utilizing Quick Response (QR) code stickers luring them to malicious websites. These sites are designed to exfiltrate personal data, including payment information, by impersonating known parking payment providers. Reports of similar scams across Europe and in Canada and the US have also been increasing and gaining public attention. In the US, the FBI has now issued alert number I-011822-PSA, Cybercriminals Tampering with QR Codes to Steal Victim Funds, to raise awareness. We can expect that these attacks will continue to be deployed on a global scale.
In the UK, phishing activity is peaking. On July 30, Southampton City Council posted on Facebook warning motorists of a wave of malicious QR codes appearing across the city center. Printed on adhesive stickers and affixed to parking meters, the QR codes directed users to phishing websites impersonating the parking payment app brand PayByPhone. Around the same time, several Netcraft staff shared stories of family members being duped by similar scams. In response, Netcraft deployed its research teams to analyze and understand the activity in depth.
Fig. 1. Southampton City Council’s post on Facebook warning users to avoid scanning the QR codes and explaining the risk.
Looking at British media reports, these parking QR code scams appeared to peak during the summer holiday period (June to September). Activity concentrated in and around coastal tourism locations such as Blackpool, Brighton, Portsmouth, Southampton, Conwy, and Aberdeen. There are now at least 30 parking apps in the UK, varying by location—an abundance that benefits criminals. By targeting tourist destinations, threat actors can prey on tourists who need to download the parking payment apps and are searching for ways to do so.
Netcraft was able to identify two threat groups running such scams. This report focuses on an active group impersonating the PayByPhone brand. The other group has been identified using a phishing kit to simulate multiple brands, including RingGo.
Mobile payments are now standard in many public and private parking lots across the world. While transactions were once used to involve calling or texting a number, mobile apps have become more commonplace.
In the UK, the main providers include PayByPhone, RingGo, JustPark, ParkMobile, and MiPermit. Providers display user instructions in parking lots, typically on parking meters. These include a download link or QR code to access the payment app, as well as a unique location code to geolocate the user. This approach not only offers an opportunity for threat actors to target victims on-site, it may also enable them to further target victims with additional location-specific malicious messages.
Based on the PayByPhone threat group which forms the basis of the research, the following step-by-step process being used to extract victim data was observed:
Fig. 2. Screenshots showing the step-by-step process on one of the fake PayByPhone websites.
Following payment, phishing kit groups send the victim to a failed payment page, prompting them to use an alternative payment card. This extends the volume of credentials and funds the threat actor can exfiltrate.
Fig. 3. Screenshot of fake failed payment page on one of the malicious websites.
Netcraft has been able to analyze threat actor activity to understand the strategies underpinning these attacks.
Fig. 4. Chart showing malicious websites being activated and deactivated between June 17 and September 3.
In the timeline above:
Numerous phishing websites were created to facilitate these attacks. Since June 17, Netcraft has seen the same scam on 32 distinct domain names. All of these demonstrated the following characteristics:
The QR codes most typically linked directly to .click URLs, which redirected to a live phishing website at a .info or .site URL. This could be a persistence tactic to ensure that if the group’s core sites are taken down, new ones can be set up, and the redirects changed. Such an approach avoids the need to physically replace any QR code stickers, keeping the attack online while controlling costs.
After tracking the threat actor’s activity online throughout August, the Netcraft team then went a step further to gather additional on-the-ground research.
Fig. 5. Map showing Netcraft-identified parking meters displaying the location of benign (black) and malicious (red) QR codes across Southampton city center.
Of the 24 parking meters across Southampton City Center, seven are used to display malicious QR codes. Some of these were in prime locations, including opposite Southampton Central train station and near a large grocery store. Other areas in the city center and Portswood (another high foot traffic area) appeared to be clear of QR codes.
The QR code stickers appear to have been distributed in a single batch—all linking to the same website—following the takedown of several of the threat actor’s websites. This highlights the persistent continuation of the campaign, with the threat actor rotating websites and remaining active despite their operations being disrupted.
The domain name for the website mentioned above was registered on the afternoon of Sunday, August 25. The first visit was at approximately 07:00 the next morning. Netcraft researchers believe that this was the threat actor’s on-the-ground agent testing the QR code after placing the stickers. These timelines highlight the speed of activity between registering a new domain and placing a corresponding QR code sticker.
In Southampton city center, there are two types of parking meters—red, which represent more dated models, and black, which are newer and display official PayByPhone branding. The threat actor’s QR codes were only found on these new black meters, pasted on top of the official branding to improve impersonation.
Some meters had been pasted with three QR code stickers (front and both sides), but not all. At the time of visit, one meter on London Road had its front QR code sticker partially ripped off. Together, these observations may suggest either that stickers are being haphazardly removed, missed, or that the individuals responsible for planting them are inconsistent in their approach.
Fig. 6. Photo of parking meter with QR code partially removed
The main takeaway from the on-the-ground research is that the threat actor has invested strategy and resources to achieve greater impact—making use of high-footfall areas and using tactics that add legitimacy to the scam. It’s clear that the measures being taken on the ground to deter these attacks are not as effective as takedowns online.
We were able to identify the following detection evasion tactics:
Some of the most critical intelligence we’ve been able to gather on these attacks concerns their impact on victims.
As illustrated in the step-by-step flow earlier in this earlier, the threat actor used webforms on their phishing website to capture and store victim data including:
This personally identifiable information (PII) could be used in future phishing attacks, for example, utilizing the threat actor’s knowledge of the victim’s vehicle, including location-based campaigns that utilize the victim’s location codes.
After each form is submitted, the phishing websites submit victims’ data to the server. This maximizes the amount of information gathered, i.e., even if the victim exits the site before completing the entire process.
The research suggests that the stolen data is then stored temporarily on the web server before being sent on to the threat actor via a Telegram bot2. An admin control panel on the website is used to configure the API keys for these bots and select which to send data to (default bot names are: “main” and “Hulingans”.)
Fig. 7. Screenshot showing the app admin panel used to configure bot API keys.
Netcraft’s research identified an approximate number of victims affected by these attacks.
On one of the threat actor’s websites, an API call to increment a visitor counter. The response displays the number of website visitors to date. By tracking the visitor counter over a few days, it was revealed that:
From June 19 to August 23, 10,000 users accessed this website and another mirror site. Many of these users could be potential victims who have scanned one of the malicious QR codes.
Fig. 8. Screenshot showing the website increment counter and number of website visitors.
Two of the threat actor’s phishing websites featured an exposed debugging API endpoint showing the number of form submissions (i.e., every time a user submitted data through the malicious website forms). On one of these sites, Netcraft was able to identify 1,932 form submissions from mid-June to August 12. On the other, 267 details were collected from July 27 and August 20. This brings the logged total to 2,199. Although the other websites had this endpoint disabled. It can be assumed that across all of the malicious sites, more data was exfiltrated, including victims’ payment details3.
Netcraft has found indications that the threat actor studied in the research is related to a series of postal and customs tax-themed scams targeting Ireland and Poland. These indicators include:
The step-by-step flow for extracting victim data is also similar. The customs tax scam was observed requesting the following data under the guise of releasing a parcel held at customs or a postal depot:
The following timeline helps demonstrate how the threat actor switched between their campaigns:
We believe this shows that when the threat group’s parking scam became disrupted by takedown activity, they reactivated their previous campaign.
Fig. 9. Screenshot showing a page from the customs tax website.
Netcraft was not able to find conclusive evidence pinning down the threat actor’s geographical location. However, a comment was found in the source code of one website containing a Romanian expletive: console.log(‘sloboz’).
Another section of the source code contains comments in Romanian (translation: “Define the validate function to validate the card data validate function / Here you must add the validation code for the card data / You can use the jQuery library or pure Javascript, depending on your needs / Simple validation example”).
Fig. 10. Screenshot showing Romanian language text in website source code.
The phishing websites contain internationalization files for English, French, German, Italian, and Romansh (spoken in Switzerland), indicating that this attack is being deployed on a trans-European scale. This backs up news reports from both Switzerland and France where have been found linking to the same phishing websites
Fig. 11 and 12. Screenshots showing translation files stored in the website.
Netcraft’s research into these parking lot QR code attacks highlights the tip of a much bigger iceberg. The insights drawn provide valuable insight into the criminals carrying them out, informing how organizations can best defend themselves.
The behaviors and characteristics of the threat actor identified through the analysis demonstrates the scale and strategic approach being used. Not only is this one criminal group operating across a continent, but they are also investing to evade detection and achieve continuous operation. Additionally the criminal group is likely responsible for a number of other attacks. This shows how cybercrime groups adapt and evolve their tactics and respond to opportunities that yield greater impact.
If you want to know more about how we detect, analyze, and take down attacks like these, get in touch with the team or book a demo now.
1 We may assume that the prevalence of this topic in the news in August influenced takedown activity.
2 Data exfiltration via Telegram is a common asset stored in phishing kits. Email used to be the most favoured channel, but as email takedown has advanced, threat actors have adapted. Telegram offers threat actors the ability to easily switch between Telegram bots to receive exfiltrated data. It also enables them to relay data to multiple Telegram bots, enabling them to maintain persistence if one bot is disabled.
3 In adhering to the Computer Misuse Act, we’re unable to confirm the exact number of exfiltrated payment details, as this would require directly accessing stolen data via the admin control panel.
Click to Open Code Editor