Full Report
Ever alert to fresh money-making opportunities, fraudsters are blending physical and digital threats to steal drivers’ payment details
Analysis Summary
# Tool/Technique: Quishing (QR Code Phishing)
## Overview
Quishing, or QR code phishing, is a social engineering technique where fraudsters place malicious or deceptive QR codes over legitimate ones (on physical objects like parking meters or electric vehicle (EV) charging stations). When a user scans the fraudulent code, they are redirected to a phishing website designed to harvest sensitive information, primarily payment details, or potentially download malware.
## Technical Details
- Type: Technique (Social Engineering/Phishing variant)
- Platform: Mobile Devices (primary vector), Physical infrastructure (QR code placement)
- Capabilities: Redirecting victims to manipulative websites, credential harvesting, potential malware installation.
- First Seen: The text notes the threat really started appearing during the COVID-19 pandemic as QR code usage increased, with a notable spike in incidents reported in late 2023.
## MITRE ATT&CK Mapping
Quishing primarily falls under Initial Access and Credential Access tactics when successful.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.004 - Phishing: QR Code Phishing
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores (If the ultimate goal is harvesting saved payment details from the mobile device or the accessed site).
## Functionality
### Core Capabilities
- **Physical Tampering:** Placing malicious QR codes over legitimate ones on public infrastructure (EV charging stations, parking meters).
- **Redirection:** Directing the scanned device to a lookalike phishing website.
- **Data Harvesting:** Prompting the victim to enter payment details (e.g., credit card information) on the fraudulent site.
### Advanced Features
- **Deception Layering:** The tactic relies on users favoring the apparent immediacy of a QR code over alternative payment methods or downloading official apps.
- **Attribution Camouflage:** The first scan attempt might fail or lead to a benign page, with the malicious link loading upon a second attempt, to ensure the victim eventually uses the service (though paying the attacker first).
- **Potential for Signal Jamming:** Some reports suggest signal jamming technology might be used to disable legitimate payment apps, forcing the user to utilize the malicious QR code.
## Indicators of Compromise
(Note: Since this is a technique applied to physical infrastructure, specific IOCs are dynamic/situational.)
- File Hashes: N/A (Focus is on the landing page/delivery mechanism)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Malicious URLs/domains used on the landing pages (specific domains not provided in the text, but should resemble legitimate service providers like charging station operators).
- Behavioral Indicators: Unauthorized submission of payment information via a newly navigated website after scanning a physical QR code in a high-trust environment (e.g., charging station).
## Associated Threat Actors
Fraudsters adapting existing money-making schemes to new technologies (Electric Vehicle owners, parking system users). Specific named actors are not mentioned, but the activity is linked to generalized criminal groups observed in Europe (UK, France, Germany).
## Detection Methods
- Signature-based detection: Limited for the initial physical placement, but detection on the resulting phishing URLs is possible.
- Behavioral detection: Monitoring for unexpected navigation or data submission after scanning unknown QR codes, especially on mobile devices.
- YARA rules: Not applicable directly to the physical act, but rules could be developed for downloaded payloads/landing pages if malware is involved.
## Mitigation Strategies
- **Physical Inspection:** Carefully examine QR codes; check if they appear stuck over the original, or if the color/font seems out of place.
- **Source Verification:** Only scan QR codes displayed natively on the terminal/meter itself; never scan codes that seem overlaid.
- **Preferred Payment Methods:** Utilize official charging/parking apps or direct payment methods (NFC, physical cards, coins) instead of scanning unfamiliar QR codes.
- **Mobile Security:** Disable automatic actions upon scanning a QR code (e.g., auto-visiting a website).
- **Post-Scan Verification:** Review the URL carefully after scanning to confirm it matches the legitimate service provider's domain.
- **User Awareness:** Be suspicious of sites with grammatical errors or suspicious elements. If in doubt, call the known operator helpline.
- **Financial Safety:** Freeze payment cards immediately if details were entered. Use 2FA on sensitive accounts. Install reputable mobile security software.
## Related Tools/Techniques
- Phishing (T1566)
- Malicious QR Codes on Parking Meters (A similar physical delivery vector)
- Credential Harvesting techniques implemented via web forms.