Malware Spreading Via ... Windshield Fliers? 207
wiedzmin writes "Another interesting article published by the SANS ISC Handler's Diary is describing a very unusual vector for malware distribution — windshield fliers and fake parking tickets. A website URL provided for "disputing a ticket" actually leads to a malicious website, and a "toolbar" required to find the photo of your violation is, you guessed it, a trojan posing as a fake antivirus. The best part is — according to the VirusTotal report, it doesn't look like most antiviruses have signatures for this one yet."
Neat but.. (Score:5, Insightful)
Re:Neat but.. (Score:5, Funny)
Re:Neat but.. (Score:5, Funny)
My god, the frustrations I could take out on him!
Also, we could use violence.
Re: (Score:2)
VirtuaMod: +1
Re:Neat but.. (Score:4, Insightful)
My god, the frustrations I could take out on him!
Also, we could use violence.
Do you think the people putting these flyers on cars are the real authors. i could just as easily pay some little kid 40 bux worth of weed to go around that parking lot of that nice corporate office over there and put these flyers out :P
Re:Neat but.. (Score:4, Informative)
Indeed. I remember hearing about a Nigerian 419 scammer who got hold of a lad with learning difficulties in America. After he fleeced him for all he could get he gave him a job funneling money from other marks. He had a lot more success because people thought he had a genuine presence in the USA. The poor kid thought he had an honest job and was going to get paid "any day now"...
Re: (Score:3, Interesting)
Do you think the little kid is going to take a felony spot for a $40 bag of weed? Hell no, he is going to rat you out in a heart beat when someone ID's them off the corporate office's parking lot surveillance camera footage.
Re:Neat but.. (Score:5, Insightful)
Knowing at least one area in which windshield fliers are prevalent (college towns), chances are pretty high you'd be going ballistic over some poor college kid who just needed some cash and wasn't told what these fliers were for, not a malicious malware author/user hiding in an apartment somewhere while his freshly-hired lackeys unwittingly do his bidding.
So unfortunately, catching the guy distributing the fliers wouldn't do you any good, unless you're really THAT upset with the practice of windshield fliering in the first place.
The fake parking tickets, though, those are probably illegal in and of themselves, and the lackey distributing them would have to at least SEE what they are and thus be complicit in the activity, so they probably have some other manner of disguising themselves (official-looking police uniform, etc) so nobody questions them. Unless the REAL cops come by.
Re:Neat but.. (Score:5, Funny)
Phase 1: Pose as college student looking to make a few bucks
Phase 2: Get to know person distributing the fliers to students
Phase 3: Stand trial for aggravated assault with no regrets.
=Smidge=
Re:Neat but.. (Score:5, Funny)
Phase 1: Pose as college student looking to make a few bucks
Phase 2: ???
Phase 3: PROFIT!!!
There, fixed that for you.
Re: (Score:2, Funny)
Here, I fixed it for you (Score:2)
Phase 4: Get assaulted in prison
Phase 5: Sue
Phase 6: Profit!
Re:Neat but.. (Score:4, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Knowing at least one area in which windshield fliers are prevalent (college towns), chances are pretty high you'd be going ballistic over some poor college kid who just needed some cash and wasn't told what these fliers were for,
Is it time to invoke Godwin's law yet?
The fake parking tickets, though, those are probably illegal in and of themselves
So are the fliers.
and the lackey distributing them would have to at least SEE what they are and thus be complicit in the activity
They have to litter to put a flyer on someone else's car. Depending on where you are it might be considered vandalism, esp. if you do it on a rainy day and it dries on and the owner has to expend actual effort (no matter how slight) if they are annoyed enough with you. But it's not like they put a lot of effort into running down the flyer-appliers of the world.
so they probably have some other manner of disguising themselves (official-looking police uniform, etc) so nobody questions them. Unless the REAL cops come by.
The parking tickets are more illegal, because applying them is probably in and of itself cons
Re: (Score:3, Insightful)
> So unfortunately, catching the guy distributing the fliers wouldn't do you any good...
He knows who he got the flyers from.
Re: (Score:2)
Re: (Score:2)
just think of actually having the chance to get your hands on one of those assholes
Obviously the jerk walking around town putting fake parking tickets on cars isn't going to be the ringmaster of the operation. He's going to be just some guy trying to make a few dollars.
I'd like to think that enough people are moral enough to know that this is wrong, and the rest will figure it out after being arrested for impersonating a police officer, that the efficacy of this infection vector will quickly fall to zero.
Re: (Score:2)
Not in every country policemen hand out parking tickets. More often than not it's just some "public servant" with little to no training and certainly no executive power.
Re:Neat but.. (Score:5, Interesting)
Except in the UK, where it's a public servant with little or no training who, in some instances, actually has more power than a real police officer.
Re:Neat but.. (Score:4, Insightful)
Re: (Score:2)
Some homeless person...is going to help you how?
Another $50 should get you a place and time.
Re: (Score:3, Funny)
More likely it was someone who got an email with the subject:
MAKE THOUSANDS OF DOLLARS IN YOUR SPARE TIME!!!!!
Re: (Score:2)
Re: (Score:2)
Agreed. Of course, the next step will be for the malware creator to obscure themselves from the "flier" person. Easy enough, I suppose. Malware provider pays via paypal and has an anonymous scout verifying that the "flier person" is actually doing their job. The person putting the fliers may not even know that what they are doing is bad.
Re: (Score:2)
Notice Sent to UND Students. (Score:5, Informative)
Urgent! Bogus Parking Tickets Found on Campus Refer Recipients to Virus-laden Web site
Do Not Go To This Web Site!!!
A message concerning bogus parking tickets being distributed on campus that was sent out late Monday contained the URL of a Web site that carries a computer virus. We are resending that message below with the problem URL removed:
Here is the message:
UPD received a call on Jan. 31, 2009 pertaining to someone issuing bogus parking tickets in the parking lot directly east of the ramp. The ticket is yellow in color and states the following: "PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to XXXXXXX.COM" (URL not used for computer safety reasons)
DO NOT GO TO THIS WEBSITE!! IT CONTAINS A VIRUS!
If you visit the Web site and click on the link to view pictures of horrible parking, you will download a virus onto your computer.
Should anyone have any information pertaining to this, please contact UND Police at 777-3491.
Lt. Dan Lund
Night Shift Supervisor
UND Police Dept.
Re: (Score:3, Insightful)
Ok, but when I try to go to XXXXXXX.COM it doesn't say anything about parking tickets. It says they want to help me find Car Insurance, Chat, Work From Home, Cheap Flights and other stuff. What now?
Re:Easy way to not have it be a problem (Score:4, Insightful)
Re:Easy way to not have it be a problem (Score:4, Insightful)
To Pay you parking ticket online now, please fill out the following:
Name:______________
SSN:______________
Credit Card Number:_______________
Wouldn't matter what OS you were using if you hand over your info.
Re:Neat but.. (Score:4, Interesting)
Now, handing out fake tickets to those obviously illegally parked could net a useful income for a while. Especially if the 'objections' site informed you that there had a substantial backlog of cases, and had to be evaluated, parameterized and prioritised. ("and we hope to get back to you before the one month follow up or discard period has passed.) It should be good for two weeks of Paypal heaven. Of course the flier distributor would be caught on video, and identified as wearing a sort of uniform with dayglo highlights including a cap and sunglasses, but hey, its a clue isn't it.
The other worthwhile bit would be advertising. Being caught doing something illegal has your attention. Wow, what an attention grabbing gift. You actually are likely to read the flier. Going to a site www.payubastards.com would be sufficient warning that you are not in standard territory. Opening page tells you that you are (1) a miscreant and (2) so what, rip up the notice and enjoy the site, brought to you by
Of course, city councils would be furious at the disrespect and would find something illegal about it. But if the site poked fun at council misspending and other idiocies, the shut-down could become politically expensive. Political change could be the real objective of the fliers.
Re:Neat but.. (Score:5, Interesting)
Now, handing out fake tickets to those obviously illegally parked could net a useful income for a while.
Someone did that for a while in Madison, WI:
http://www.madison.com/tct/news/stories/302436 [madison.com]
His trial begins on the 19th.
Clever idea... (Score:5, Insightful)
Maybe a few people in a town would end up affected, but the cost in time/effort required to trap victims is impractical considering what a simple email can do.
Re:Clever idea... (Score:5, Insightful)
Re:Clever idea... (Score:5, Interesting)
Depends on where you target your fliers. Put 'em around city hall, and you may be able to get some schmuck to compromise their internal network. Or a bank, or a big company, etc, etc.
That would be the big advantage of being able to geographically target your scam.
Re:Clever idea... (Score:5, Interesting)
Sure, some security testing firms have already added "leave trojaned USB sticks in the parking lot" to their list of tests.
Slap these on cars before lunch, everyone who goes out to lunch will probably check the url when they get back on their work computer.
Re: (Score:2)
Re: (Score:2)
>Anybody have any ideas of how a local ip could be used to attack something?
Well, if you want to make ad money you would change the "DNS server" field on the gateweay router. Most clueless router installs use default admin passwords. Then all your LAN PC's would be using the alternate DNS servers...
You could also troll the inside RFC1918 netspace, and scp random documents found on a fileserver that grants "guest" logins.
Re: (Score:3, Interesting)
Depends on how many people actually pay the fine.
Re: (Score:3, Interesting)
Ah, but have you ever seen those 5 cent plastic signs advertising DatingIn.com? Somebody local to you nails/stakes those(and probably all those other signs) and they do it for stupid cheap.
Ad agencies realized people will put those up for a pittance if you didn't care where they went, just wherever someone was already going for work/shopping/etc. And those things are everywhere.
Heaven help us if they were to get the idea to give the homeless a bottle of rotgut and a pad of these malware tickets. It'd be
Re: (Score:2)
Re: (Score:2)
For the same reason you need a spam filter. That kind of ad agency exists only as a rented postbox, and if you were to track them down, they'd disclaim any relationship to the person posting them.
If given proof they had ever interacted, they'd say the person was "at best, only a contractor", or they "fired them long ago for breaking the law".
The root of the problem (Score:3, Funny)
You guys are missing the root of the problem. If the cars didn't have windows, then the users wouldn't have gotten infected.
I suggest a car like this.
http://www.m38a1.com/images/Archives/jeep%20_105%20gun%20jpg.jpg [m38a1.com] :p
A virus I'd actually fall for (Score:5, Insightful)
Re:A virus I'd actually fall for (Score:5, Funny)
welcome to the world of personal computing! Now that you've made the decision to dedicate at least some part of your life to staring at a screen and tapping on a keyboard, you should know that we (The Internets) have been working hard to make your computing experience as exciting as possible.
Everyday you will have to learn more and more about computing just to keep up with trends, and if that isn't enough, we have some software coders that want to play a game with you. It's called "Show me your password and finance details" and is such an exciting game you will soon forget all about Zelda. Never mind looking for the hidden doors or avoiding poisonous frogs. In this game, every key you touch could be the one that causes you to lose.
We also have many other options to fill your time. We're glad you are here, enjoy computing in the Internets.
Sincerely,
I.M. Rogue
Re: (Score:2, Insightful)
What scares me most is that this style of distribution is something I'd actually fall for.
How so? Anytime I get a prompt to install anything from a website I'm not expecting, especially on Windows, I tell it no. Just because something is printed on a flier doesn't mean it's any more trustworthy than some random site you found through googling.
You're missing the point. (Score:2)
Most people have by now been taught to no click willy-nilly on the screen, but people get fliers and other handouts with URLS on them all the time. We've been conditioned that to be sure you are going to the sight you really intend to go to, you have to manually enter the full URL.
Re: (Score:2)
True, but you're also a Slashdot user. Many people will be much more inclined to trust a site relayed to them offline, especially when it comes from a source that appears authoritative (such as mimicking a parking ticket, as TFS describes). You and I might call up City Hall and ask WTF is going on, but I'd bet that 95% or more of people that receive these fliers and hit the URL would get rooted.
Re:A virus I'd actually fall for (Score:5, Interesting)
Re: (Score:3, Interesting)
Which suggests the best way to distribute these might be to go near some touristy place and put these on cars
Re: (Score:2)
erm if a band/buisness/etc need me to install an EXE im not using it. there are plenty of safe mediums to exchange with unkown people, mp3, pdf/image formats. while these attacks are more devious it still fails to computer literate common sense, "why would i need to install something to..."
Re:A virus I'd actually fall for (Score:5, Insightful)
it still fails to computer literate common sense, "why would i need to install something to..."
Flash. Silverlight. Java. Adobe Reader. Windows Update controls.
People are getting used to installing applications to interact with "trusted" parties.
Re: (Score:3, Interesting)
I suppose that in a certain way, many linux distributions help with this. They condition users only to install applications from the software repositories.
Package managers do not need to be exclusive to linux. It might be a positive thing for microsoft to create a package management system of "trusted" programs and force all other executables to be run in a sandbox.
I wouldn't. (Score:2)
What makes it slightly scary is that it claims to be a parking violation.
However, I would likely make a very loud noise about being required to not only have Internet, but also a specific browser and a specific operating system, and having to download their software.
For unemployment, at least here, the entire thing is done over the Internet. However, the website pretty much works in any browser (though the layout was slightly off in Konqueror), and if you don't have Internet (or a computer), you walk to the
Re: (Score:2)
Easy..
1) if it is not a parking ticket - Ignore it. I don't do business with that sort of business.
2) if it is a parking ticket. Don't go to the site, go to the most logical traffic court - take a day off from work. If it's real you can pay your fine or whatever. If it's not - hey at least you get a day off from work.
Re: (Score:2)
Just goes to show that no matter how much protection you have on the tech side, there's always a social engineering way around it.
True, but the better your protections on the tech side, the harder they have to work at social engineering and the less widespread and effective it will be. There is plenty of room on the tech side for technologies to mitigate trojans.
You might not fall for it... (Score:2)
Re: (Score:2)
They have learnt how to spell.
Be afraid...
That is pretty clever... (Score:5, Interesting)
And then you add in people who are from out of town, who would much rather not have to go back to your city to deal with a ticket...
Re:That is pretty clever... (Score:5, Funny)
do you know what a parking ticket looks like in your city
Only one way to find out. Lemme borrow your keys.
Re: (Score:2)
Re:That is pretty clever... (Score:5, Insightful)
Accidentally modded redundant instead of insightful. Sorry. Posting to kill moderation.
Isn't this awesome new moderation system such a great part of this fantastic new layout? Nobody liked the "confirm" button from the previous system, right?
New Slashdot layout (Score:2)
Isn't this awesome new moderation system such a great part of this fantastic new layout?
That is exactly the reason I turned it off. Slashdot's interface is becoming all flash and no function.
Re: (Score:2)
After all, do you know what a parking ticket looks like in your city, to be able to distinguish between a real one and a fake?
And if you do, then do you have any reason to believe they haven't changed ticket formats since the last time you got one?
Re:That is pretty clever... (Score:4, Interesting)
Not always.
In Eugene, Oregon, for instance, much of the parking is contracted out to a company called Diamond, which has the authority to issue tickets.
These tickets have no phone numbers on them, though they do include an address to mail your payment to.
There seems to be no way of contesting the tickets, either, which was annoying a while back when I got a ticket about a minute before the time had expired.
Re: (Score:2)
Re: (Score:2)
About 7 years ago I got a 'overnight' parking ticket in another city for parking on a side street in the winter. Now mind you, this was my fault and only $18. The ticket only had the seal of the local police force, and a signature of the police officer. Nothing else, besides what the violations were and what could/couldn't be checked.
They've since changed it, they're double sided with the police seal at the top, county clerks office under that. And city hall on the back as well as a list of all the phon
Who reads those things anyway? (Score:5, Informative)
1. You are parked legally
2. Everybody else has these "tickets"
And that's before you notice that your local government is using a website like: http://qlmbix.ch/parkingticets.html [qlmbix.ch]
I mean for this infection to work, the victim has to be not only stupid, but also not lazy. It has to have a low infection rate.
Re:Who reads those things anyway? (Score:4, Insightful)
I mean for this infection to work, the victim has to be not only stupid, but also not lazy. It has to have a good infection rate.
*fixed*
Re: (Score:3, Insightful)
And that's before you notice that your local government is using a website like: http://qlmbix.ch/parkingticets.html [qlmbix.ch]
How is the average person supposed to know that a suspicious address? For all they know it could be some sort of acronym, and would the average Joe actually notice that the alleged government site doesn't have a .gov TLD?
Re: (Score:2)
www.ocpafl.org is a good example. That's not exactly an easy one to decipher unless you work with that office regularly.
Re: (Score:2)
if you look around and notice two things:
Depending on who you are, that's a big if.
Re:Who reads those things anyway? (Score:5, Interesting)
1. You are parked legally
2. Everybody else has these "tickets"
I've gotten tickets when I was parked legally and successfully contested them. All the other cars on the block were also incorrectly ticketed at the same time - apparently a cop misunderstood the parking rules, or didn't know how to operate a watch.
Furthermore, given the city's trend of contracting out ticking, the fact that the URL pointed to some third party website and not a subdomain of the city or county sites wouldn't have set off any red flags either (although one hosted in the Czech Republic would :). The red-light tickets we get in the mail today directs you to the website of the contracted company and not to the city website.
Re: (Score:2)
I mean for this infection to work, the victim has to be not only stupid, but also not lazy. It has to have a low infection rate.
Or just too wrapped up in their own lives to notice other cars. Sure most would know that they aren't parked illegally, but then they'd be even more interested in getting to the website. Hell in some cities, one wouldn't even have to look hard for people parked illegally, as often double parking is the norm. Other towns have confusing rules about where and when one can park. Personally, I could see this as being a very effective attack, in particular if one wants to target a specific individual or small
Re: (Score:2)
I can't imagine there are a large number of people who are not only going to read the flyer, but take it home and remember to get on their computer and type in a URL from it. The "parking ticket" gambit seems pretty weak too if you look around and notice two things:
1. You are parked legally
2. Everybody else has these "tickets"
And that's before you notice that your local government is using a website like: http://qlmbix.ch/parkingticets.html [qlmbix.ch]
I mean for this infection to work, the victim has to be not only stupid, but also not lazy. It has to have a low infection rate.
I'll admit, the parking ticket might catch me enough to get to the site if the URL was realistic enough. Something ending in a foreign domain or some completely "out there" URL would set off my flags right away, but a good enough parking ticket scam might nail me at first.
But the instant I'd have to install something I'd stop what I was doing. I wouldn't care if the domain ended in .gov, I am very particular about what goes onto my PCs. I'd immediately look for alternative routes like the city's or count
Re: (Score:3, Insightful)
The "parking ticket" gambit seems pretty weak too if you look around and notice two things:
1. You are parked legally
2. Everybody else has these "tickets"
1. All the more reason you'd want to contest it
2. Maybe the people leaving the tickets are instructed to ticket only 1/10 cars down a street? Even if not, I see people getting tickets all in a row quite often. Metermaids cut wide swaths with their pens.
That's how you make money on these things (Score:3, Insightful)
I mean for this infection to work, the victim has to be not only stupid, but also not lazy. It has to have a low infection rate.
We have an abundance of uneducated people in the US, specifically those who don't know or understand the dangers of the internet. Also, a low infection rate is all it takes to get some return on investment.
To top it all off, Americans are first and foremost a scared people, especially of our own government and of forces outside our borders. Heaven forbid you piss off the governme
Re: (Score:2)
If you target a big company or something, all you need is one person to be stupid, and that's not just probable, it's certain. That's why this stuff works.
The person may very well know they're legally parked, and so they'll take the logical next step: they'll contact the issuing body to complain, and look, they left the address of their handy website! And, look, they have a photo app, so I can see what bastard got a ticket, then stuck it on my car!
It's clever.
Re: (Score:2)
Cops handing out bogus tickets is all too believable in some cities and towns, particularly the cash strapped ones.
Re: (Score:2)
1. You are parked legally
If you read the SANS article, the fake site apparently has a photo of the ticket recipient's car.
The example car is taking up two parking spaces.
Maybe everyone gets the same photo, but I suspect that the person who did this found a new way to take their frustration out on idiots who can't figure out how to operate their vehicle, rather than the tried and true method of parking against their doors so they can't get back in.
Re: (Score:2)
Maybe everyone gets the same photo...
Obviously. If you read the text above the photo in the image, you can see that there's a lot of different car images to choose from to "find" your car in. Naturally, there's absolutely no need to create real individualized photos for a malware site, even for a "revenge" site rather than a traditional one. You would only go to that kind of trouble if the site were legit.
It works better when they are parked legally (Score:3, Insightful)
Re: (Score:2)
1. You are parked legally
2. Everybody else has these "tickets"
You've never been to Philly have you? Hell, I hear they even have a TV show about those ticketing madmen now...
Some should rip in to the fake person giving out t (Score:3, Informative)
Some should rip in to the fake person giving out the tickets like people do to the real meter maids as you see do on A&E parking wars. And if they are not real say I'm calling the cops as I don't think they will like to have people giving out fake tickets.
Re:Some should rip in to the fake person giving ou (Score:5, Funny)
Some should rip in to the fake person giving out the tickets
How do you catch a fake person? Fake traps?
More important than a face on the criminal (Score:3, Funny)
There is also a neck we can hang them from... someone police can pursue and arrest, more direct money to follow... leads.
I really want to see some terrible, nearly unimaginable things happen to these people. Some people feel this way about drug pushers. Others feel this way about child molesters. For me, it is malware. Oh I think of the children too, but frankly, a lot can be done in the way of prevention if only most parents paid attention to their own children that would address a good portion of the child molestation thing and as drugs go... well, once again, people don't get hooked on drugs unless they had some other problems that precipitated it first. If they were raised well, odds are better that they'd not be a drug addict.
Should be pretty easy to stop (Score:3, Interesting)
Oh, wait. Registrar accreditation is handled by these bumbling idiots. And how many ISPs that offer hosting services respond to much of anything?
Omg... (Score:2)
Now you can get viruses by looking at anything with text on it!
WARNING This virus requires:
-A Computer running Windows
-Human stupidity, but not that much (i would fall for that maybe)
Re: (Score:2)
The computer not only needs to be running Windows, but also IE according to the exploit report.
This is hardly the first virus to use that method - I've heard of similar 1-click or no-click infections using flaws in IE (specifically because it is the dominant browser - other browsers have flaws, too).
And from the initial poster, new viruses rarely have signatures right away - it usually takes several days from the initial report before they appear in a definitions file. When my wife popped a malicious e-car
The weirdest thing just happened to me (Score:5, Funny)
I went out to my car to go to lunch and there was this Nigerian Prince and his entourage standing there and he said he needed my helpto move some cash out of his country for his dead uncle or someone.
You don't even need a Virus or Malware to pull thi (Score:3, Insightful)
You don't even need a Virus or Malware to pull this off all you is a pay on link that takes your CC # and that likely will work even on super locked systems.
Re: (Score:2, Funny)
Bad idea (Score:3, Funny)
To make it much worse, YOU can catch him and take revenge of every spam/malware/spyware/virus you received ever. We can get an updated version of witch burning for the XXI century.
Windshield fliers (Score:3, Funny)
Dear fliers-posting malware authors (Score:5, Funny)
I don't have a car, you insensitive clod!
I bet the antivirus companies didn't have it ... (Score:5, Informative)
... right away because they get their earliest warnings from honeypot machines and this one uses an offline vector.
Re:I bet the antivirus companies didn't have it .. (Score:2)
I bet the antivirus companies didn't have it right away because they get their earliest warnings from honeypot machines and this one uses an offline vector.
Well, they also monitor network traffic looking for network usage signatures that are likely to be worms or viruses and do not match known malware. I suspect the limited range of this malware causes little traffic, since it is only machines from a tiny number of people who obtained a flyer. It is likely just not big enough to have shown up yet.
Re: (Score:2)
Besides, not all virus scanners can search the contents of all installer types, and the installer is what was passed to the site. The results of the installation will probably trigger more virus scanners.
NEWSFLASH!!! (Score:2, Insightful)
malware is, and always will be, a stupid user issue. You can't solve stupid user issues with technology. Antivirus software is a sham, and a virus itself.
Give Darwin a chance, folks. (Score:2)
And we informed slashdotters will use FireFox with NoSript extension and laugh at them.