About that speeding ticket – it’s a scam
- By Kevin McCaney
- Jan 24, 2012
One thing worse than getting a traffic ticket in the mail would be getting a traffic ticket that’s actually a phishing scam trying download malware onto your computer.
Government employees in Seattle recently received e-mails purporting to be from the city’s Department of Motor Vehicles, telling them they had been clocked driving over the speed limit and instructing them to click a link to fill out a form, according to an alert from the Seattle police.
The link takes them to one of several recently registered domains overseas. Microsoft’s Malware Protection Center, which is investigating the scam with the Seattle PD, wrote in a blog post that one of the links went to a domain in Ukraine registered on Jan. 16.
Phishing economy: Why tiny Tokelau is 3rd largest country domain
Why spear phishing? Cyber crooks are all about the ROI.
One tip-off that the e-mail isn’t from the Seattle DMV is that the date of offense on the ticket is listed in the European style, with the day of the month first, followed by the month and year, such as 20/12/2011. Another tip-off is that Seattle, like every other municipality, doesn’t send tickets via e-mail. They still rely on the Postal Service for that. (In many places you can pay tickets online, but you still won't receive them electronically.)
All of the domains to which Microsoft has traced the phishing campaign are newly registered, “so this is a new spam campaign,” Microsoft said.
But it’s not a new trick. In August 2011, police from New York to Hawaii issued warnings about a nationwide spam campaign that purported to be “Uniform Traffic Tickets” from state police departments.
Recipients were told an attached .zip file in the e-mail was a copy of their ticket, which they were to fill out and send to a town court. The attachment contained malicious software that would install itself on the recipient’s computer of they opened it.
The social engineering trick used in these campaigns -- posing as an authoritative organization such as a human resources department, credit bureau, tax department or some other government entity -- is one of the most common phishing tactics.
Microsoft said they best ways to avoid getting hooked by phishing scams is to keep security software updated and learn to recognize phishing tactics.
Kevin McCaney is a former editor of Defense Systems and GCN.