Short translations by yours truly. Original source 1 [A], original source 2 [A]
Just like from the textbook of fundamentals of IT security: Wrong Easypark QR codes have surfaced
Apparently there is a "parking service provider" (apparently just a parking spot landlord) that wanted to save money on parking meters and instead placed a sign with the QR code of the website where you pay using your phone. According to the article, what's supposed to happen normally is that you get sent to the app, if you don't have it already, that's used for the payment.
Fraudsters simply glued "Scan & Pay" stickers with their own QR code on top, which redirect to a genuine-looking payment website on which you enter your payment details. "Quishing" = QR + phishing.
As profane as it is, that attack is classic: Sign = unsecured communication. Gluing a sticker on top = man-in-the-middle attack.
This is what the fake QR code stickers look like.
Using fake QR codes of the parking service provider Easypark, fraudsters try to obtain the payment details of users. "The stickers are quite well designed and make fraudulent use of the logo of the service provider and even the fitting color as an outline", the State Office of Criminal Investigation (LKA) of Lower Saxony said on November 14th 2024. According to the city of Hanover, fraudulent codes appeared before that in Berlin and Landau.
If you scan the QR code to start the parking procedure, according to the statement, you are redirected to a website which is "designed almost identically to the original page". As the city of Hanover further wrote, the employees first noticed the fraudulent codes on November 12th 2024. According to the LKA, the amount of discovered fakes so far is "in the low double digits". The fraud is called quishing, a portmanteau of QR code and phishing.
Accordingly, fraudsters made use of the domain Easypark.live for their scheme. There, just like in the original app by Easypark, you can select a parking zone as well as enter a license plate and a parking duration. Afterwards, credit card details are to be entered. "Whether a fee and what fee is charged in that moment is still unknown at the moment. It could be that the culprits collect the credit card data and use it later in an abusive way", the LKA writes. The content of the domain Easypark.live are currently no longer available, however.
On its websites, Easypark also warns about the quishing fraud. According to the provider, QR codes never redirect to a website, but always to the Easypark app. If that isn't installed yet, the codes only redirect to the download of the app.
In addition, the codes are always part of the official signage. "If it looks like a sticker or it's located at a strange place, it could be a case of fraud", the company writes.
Deception using fake QR codes is being used more often by criminals, such as at charging stations for electric cars. In August of 2024, consumer protection agencies warned about quishing attempts in fake letters to bank account holders. And fraudulent traffic tickets have already been used for the scheme.
The LKA Lower Saxony reported on a strange case in the area of the Harz municipality. There, on an outdoor donation box, a sticker asked for donations using Bitcoins. But the sticker was not from the association that operates the donation box.
"Quishing"
No, not the preparing of quiche. Quishing. A classic man-in-the-middle attack due to a lack of authentication, just in pink.Just like from the textbook of fundamentals of IT security: Wrong Easypark QR codes have surfaced
Apparently there is a "parking service provider" (apparently just a parking spot landlord) that wanted to save money on parking meters and instead placed a sign with the QR code of the website where you pay using your phone. According to the article, what's supposed to happen normally is that you get sent to the app, if you don't have it already, that's used for the payment.
Fraudsters simply glued "Scan & Pay" stickers with their own QR code on top, which redirect to a genuine-looking payment website on which you enter your payment details. "Quishing" = QR + phishing.
As profane as it is, that attack is classic: Sign = unsecured communication. Gluing a sticker on top = man-in-the-middle attack.
Wrong Easypark QR codes have surfaced
Fraudsters have started putting fraudulent QR codes on parking meters. That fraud scheme is already being used in multiple German cities.
This is what the fake QR code stickers look like.
Using fake QR codes of the parking service provider Easypark, fraudsters try to obtain the payment details of users. "The stickers are quite well designed and make fraudulent use of the logo of the service provider and even the fitting color as an outline", the State Office of Criminal Investigation (LKA) of Lower Saxony said on November 14th 2024. According to the city of Hanover, fraudulent codes appeared before that in Berlin and Landau.
If you scan the QR code to start the parking procedure, according to the statement, you are redirected to a website which is "designed almost identically to the original page". As the city of Hanover further wrote, the employees first noticed the fraudulent codes on November 12th 2024. According to the LKA, the amount of discovered fakes so far is "in the low double digits". The fraud is called quishing, a portmanteau of QR code and phishing.
Customers are required to enter payment details
Accordingly, fraudsters made use of the domain Easypark.live for their scheme. There, just like in the original app by Easypark, you can select a parking zone as well as enter a license plate and a parking duration. Afterwards, credit card details are to be entered. "Whether a fee and what fee is charged in that moment is still unknown at the moment. It could be that the culprits collect the credit card data and use it later in an abusive way", the LKA writes. The content of the domain Easypark.live are currently no longer available, however.
On its websites, Easypark also warns about the quishing fraud. According to the provider, QR codes never redirect to a website, but always to the Easypark app. If that isn't installed yet, the codes only redirect to the download of the app.
In addition, the codes are always part of the official signage. "If it looks like a sticker or it's located at a strange place, it could be a case of fraud", the company writes.
Quishing is widespread already
Deception using fake QR codes is being used more often by criminals, such as at charging stations for electric cars. In August of 2024, consumer protection agencies warned about quishing attempts in fake letters to bank account holders. And fraudulent traffic tickets have already been used for the scheme.
The LKA Lower Saxony reported on a strange case in the area of the Harz municipality. There, on an outdoor donation box, a sticker asked for donations using Bitcoins. But the sticker was not from the association that operates the donation box.
