Uncovering a QR Code Scam That Tries to Hijack Parking Payments

Recently, the City of Toronto replaced a bunch of parking meters along a stretch of Yonge St. This in itself is unremarkable beyond the fact that these new machines record the user’s plate number where the old ones did not. The city has also stopped taking cash to pay for parking. But, that privacy issue for another column. Today, I noticed something on the front of these new and somewhat complicated machines: An easy to use (but haphazardly placed) QR Code on the front of the device that had “Scan to Pay” written under it. I knew this was a scam, and it was time to uncover this.

When the target scans this QR code, it linked to this page: https://161-35-47-111.cprapid.com/ca.html

This is obviously not a City of Toronto payment site. This is a criminal trying to get you to pay them for parking. The actual way to pay, “Press here to begin,” never stood a chance.

The Technical Details

The scammers are running this all in one html page, presumably on Apache on the 161-35-47-111.cprapid.com domain. The front part of that domain is the IP of the site, so this suggests this is some sort of temporary site service or redirector. At the time of writing there was nothing to see at cprapid.com. Checking this out on Virus Total didn’t return much.

The server appeared to be on AS 14061 ( DigitalOcean, LLC ) while the server itself interacts with Cloudflare. Searching this domain’s history yielded no real metadata other than the fact that it changes rapidly.

An older-style parking meter with a QR sticker

Easy Park

In the time it took to get a coffee, the Green P site went down; perhaps law enforcement got wind of this. Trying other variations of names such as toronto.html, tpa.html, park.html yielded no pages.

A quick look at the root of this domain and it shows an EasyPark paying in British Pounds payment processor. A look at the actual Easypark and they seem to only offer a mobile app. Looking back at the fake site, the logo seems good, though the top-right of the page shows two “Home” links that go nowhere, and it’s it’s the same for other links in the footer. Curiously, the site never shows a price. It starts out at 0 GBP promising so how the price later, then asks for a credit card still without showing a price. Once it has the card, details the site appears to start the payment process for some unknown amount. When I inserted a fake credit card number, the site’s processing wheels just kept spinning. It made me wish I could see what kind of transaction was being put forward, but there was no way to find a service that would support this on-the-fly without money attached.

The EasyPark interface

The Site Returns

Then, just as fast as the Green P site went down, it came back up. It was a chance to get a good look at it. The Green P site had working duration controls, so selecting 11 hours and 15 minutes of parking yielded a charge of $45.00¹. The controls allowed for a maximum of 24 hours and 60 minutes, and for that one would need to pay $100.00. When stepping though the payment process, the site asks for a plate number, but that’s attached to a <form action=""> statement, meaning it’s irrelevant what you add (but probably also not being sent to the criminals). Doubly so for when it pushes the victim to the payment processor, our scammers tell you parking voucher process is complete while it does not verify the victim has paid. Once you give the criminals the nice payment, they may have your credit card to further exploit and you’ll also get a fat ticket from the City of Toronto for parking illegally.

Here’s a look at the payment flow an how the site functions:

Most interesting, on Bunq, a payment processor, the seller’s account is listed as “EasyPark” with an account number of NL03 BUNQ 2196 0537 24. This is how law enforcement finds these criminals. Could they be British?

BUNQ or Bank of the Free

As you might imagine, I scanned a bunch of these machines down the street to see if there were more stickers. When I found one. I immediately removed the sticker. They were placed on old and new machines alike. The threat website is live now, so one wonders if they’ve made money². Let’s get the word out and make sure that both the city and authorities know about this. Be vigilant folks. Be careful what QR code you scan.

Related: Green P is aware of these and has warned the public about them and that they “report the incidents to City of Toronto Cyber Security and the websites are forced to shut down.” It’s not clear what mechanism they might use to do so.

Update: CTV News has coverage of this scam and perhaps most interesting is that the fraudsters are charging up to $2,000 per transaction.

“The individual thinks they’re paying for street parking, scans a QR code, they are directed to what appears to be a legitimate website, make a payment, and instead of being charged $7 they’re charged almost $2,000,” Const. Laura Brabant said.

This is probably when the criminals use their own payment gateway obscuring the parking price until the final surprise transaction happens. You should expect they’ve compromised your credit card too.