Malware Spreading Via ... Windshield Fliers?

wiedzmin writes "Another interesting article published by the SANS ISC Handler's Diary is describing a very unusual vector for malware distribution — windshield fliers and fake parking tickets. A website URL provided for "disputing a ticket" actually leads to a malicious website, and a "toolbar" required to find the photo of your violation is, you guessed it, a trojan posing as a fake antivirus. The best part is — according to the VirusTotal report, it doesn't look like most antiviruses have signatures for this one yet."

That is pretty clever...

[damn_registrars]

After all, do you know what a parking ticket looks like in your city, to be able to distinguish between a real one and a fake? I would suspect that most people who recognize the real thing either wouldn't bother to try to contest one, or don't do anything about them anyways. But for the larger portion of a city's population who has not been ticketed, they could well have a hard time telling a fake from the real thing.

And then you add in people who are from out of town, who would much rather not have to go back to your city to deal with a ticket...

Re:Clever idea...

[John Hasler]

Depends on how many people actually pay the fine.

Should be pretty easy to stop

[damn_registrars]

If the flier says "go to evilticketcontesting.com", you just need to find who that domain is registered to, and contact the registrar and ISP to have it shut down. This is quick and straightforward, since internet registrars all keep good records of who they sell domains to, and all ISPs respond quickly to requests that are written in plain English. We should have this problem licked in time for dinner.

Oh, wait. Registrar accreditation is handled by these bumbling idiots. And how many ISPs that offer hosting services respond to much of anything?

Re:Clever idea...

[Zerth]

Ah, but have you ever seen those 5 cent plastic signs advertising DatingIn.com? Somebody local to you nails/stakes those(and probably all those other signs) and they do it for stupid cheap.

Ad agencies realized people will put those up for a pittance if you didn't care where they went, just wherever someone was already going for work/shopping/etc. And those things are everywhere.

Heaven help us if they were to get the idea to give the homeless a bottle of rotgut and a pad of these malware tickets. It'd be like covering your car with post-its.

Re:A virus I'd actually fall for

[Guiness17]

Agreed, I could've fallen for this myself. I got a ticket about a year ago in a city I didn't live in, and lo and behold, it had a website on it for paying online. Ticket looked official, but on second thought, I couldn't be sure, having never seen one from that city before. I blindly typed in the URL... I'd like to believe I would have picked off a phishing scam, but still, I took the first step.

Re:Who reads those things anyway?

[pavon]

1. You are parked legally
2. Everybody else has these "tickets"

I've gotten tickets when I was parked legally and successfully contested them. All the other cars on the block were also incorrectly ticketed at the same time - apparently a cop misunderstood the parking rules, or didn't know how to operate a watch.

Furthermore, given the city's trend of contracting out ticking, the fact that the URL pointed to some third party website and not a subdomain of the city or county sites wouldn't have set off any red flags either (although one hosted in the Czech Republic would :). The red-light tickets we get in the mail today directs you to the website of the contracted company and not to the city website.

Re:Clever idea...

[SatanicPuppy]

Depends on where you target your fliers. Put 'em around city hall, and you may be able to get some schmuck to compromise their internal network. Or a bank, or a big company, etc, etc.

That would be the big advantage of being able to geographically target your scam.

Re:That is pretty clever...

[pluther]

Not always.
In Eugene, Oregon, for instance, much of the parking is contracted out to a company called Diamond, which has the authority to issue tickets.
These tickets have no phone numbers on them, though they do include an address to mail your payment to.
There seems to be no way of contesting the tickets, either, which was annoying a while back when I got a ticket about a minute before the time had expired.

Re:Clever idea...

[Zerth]

Sure, some security testing firms have already added "leave trojaned USB sticks in the parking lot" to their list of tests.

Slap these on cars before lunch, everyone who goes out to lunch will probably check the url when they get back on their work computer.

Re:Neat but..

[Anonymous Cowpat]

Except in the UK, where it's a public servant with little or no training who, in some instances, actually has more power than a real police officer.

Re:Neat but..

[bornwaysouth]

What a waste of an idea. I don't understand why they were messing about with such a low payback as malware. Spam relies on say a 0.1% success rate, but millions of fliers. Physical fliers are too costly.

Now, handing out fake tickets to those obviously illegally parked could net a useful income for a while. Especially if the 'objections' site informed you that there had a substantial backlog of cases, and had to be evaluated, parameterized and prioritised. ("and we hope to get back to you before the one month follow up or discard period has passed.) It should be good for two weeks of Paypal heaven. Of course the flier distributor would be caught on video, and identified as wearing a sort of uniform with dayglo highlights including a cap and sunglasses, but hey, its a clue isn't it.

The other worthwhile bit would be advertising. Being caught doing something illegal has your attention. Wow, what an attention grabbing gift. You actually are likely to read the flier. Going to a site www.payubastards.com would be sufficient warning that you are not in standard territory. Opening page tells you that you are (1) a miscreant and (2) so what, rip up the notice and enjoy the site, brought to you by ....

Of course, city councils would be furious at the disrespect and would find something illegal about it. But if the site poked fun at council misspending and other idiocies, the shut-down could become politically expensive. Political change could be the real objective of the fliers.

Re:Neat but..

[1729]

Now, handing out fake tickets to those obviously illegally parked could net a useful income for a while.

Someone did that for a while in Madison, WI:

http://www.madison.com/tct/news/stories/302436 [madison.com]

His trial begins on the 19th.

Re:A virus I'd actually fall for

[FangVT]

Agreed, I could've fallen for this myself. I got a ticket about a year ago in a city I didn't live in, and lo and behold, it had a website on it for paying online. Ticket looked official, but on second thought, I couldn't be sure, having never seen one from that city before. I blindly typed in the URL... I'd like to believe I would have picked off a phishing scam, but still, I took the first step.

Which suggests the best way to distribute these might be to go near some touristy place and put these on cars with out of state plates.

Re:A virus I'd actually fall for

[collinstocks]

I suppose that in a certain way, many linux distributions help with this. They condition users only to install applications from the software repositories.

Package managers do not need to be exclusive to linux. It might be a positive thing for microsoft to create a package management system of "trusted" programs and force all other executables to be run in a sandbox.

Re:Neat but..

[sumdumass]

Do you think the little kid is going to take a felony spot for a $40 bag of weed? Hell no, he is going to rat you out in a heart beat when someone ID's them off the corporate office's parking lot surveillance camera footage.

Tickets on Illegally parked Cop cars

[Anonymous Coward]

They should put some of those parking tickets on cop cars. See how many cops fall for it!