Hit ’em where they drive

Nothing, I suspect, makes a bogus email more persuasive than the inclusion of something actually (sort of) true. This particular scam, by that reckoning, is utterly convincing in its presentation:

A new malware scam is posing as a speeding ticket email with a fake link that is said to load malicious code onto users’ computers. The emails, sent to at least few local residents in Tredyffrin, Pennsylvania, purport to come from the local police department. Malware emails that masquerade as something official are not rare, but these messages are fairly unique: they are said to contain accurate speeding data, including street names, speed limits, and actual driving speeds, according to the Tredyffrin Police Department, located close to Philadelphia.

It’s suspected that the data is coming from an app with permission to track phone GPS data. That could either be a legitimate app that has been compromised, or a purpose-built malicious app that was uploaded online. As anyone who has used a GPS navigator knows, location data can be used to roughly calculate your travel speed. The emails ask for payment of the speeding ticket, but no apparatus is set up to receive such fines. Instead, a link that claims to lead to a photo of the user’s license plate instead loads malware onto the user’s device.

“Citations,” says the PD, “are never emailed or sent in the form of an email attachment.” Still, people believe that banks and such will send you email to ask you your email address — which they obviously already have.

“Tredyffrin,” incidentally, is Welsh; it only looks like a J. K. Rowling place name.

Tweet





Comments are closed.