We've heard a lot about savvy attackers marrying both physical and online tactics as part of their efforts to increase the levels of social engineering going into their nefarious schemes.
Now someone appears to have pulled together badware distribution with one of the modern world's other most loathsome scourges, that being, parking tickets.
Sidenote: You never realize how ubiquitous the abject hatred for parking tickets is until you write something about them, or even more so, how to get out of them. I'm pretty sure the most highly trafficked piece I've ever written was about the launch of ParkingTicket.com about five years ago when I worked at CNET News.com. I could spend a month putting together an in-depth piece on some major piece of news and only draw several thousand page views. My short bit on the news release about the launch of the ticket site, which helps people beat the citations they received, drew like half a million hits in only several days.
Anyhow, SANS Institute researcher Lenny Zeltser recently uncovered the two-part parking ticket/malware scam, through which someone placed phony tickets on the windshields of a number of vehicles in a parking lot in North Dakota informing their owners that they had somehow violated the regulations and instructing them to go to a Web site to get more details on their fines. Researchers at McAfee also highlighted the scheme.
Of course, upon visiting the site, the advertised URL demands that people download a piece of software to view pictures of their vehicle when it was "in violation," and that program of course instead delivers malware onto their computers.
"Attackers continue to come up with creative ways of tricking potential victims into installing malicious software. Merging physical and virtual worlds via objects that point to Web sites is one way to do this. I imagine we'll be seeing such approaches more often," Zeltser said.
This is a pretty interesting attack in several ways, and not just in that it marries physical elements with a malware threat.
Consider that, one has to assume that the attackers have some level of closeness in proximity to their targets, which is certainly not the norm compared to the notion of people sitting at computers in Eastern Europe or the Far East aiming their work at users in the Western World. This works in several ways, both good and bad, for the attackers.
While it does allow them the ability to use their knowledge of the local environment to make their scheme seem more believable, they've also potentially made it easier for law enforcers to track them down. One of the biggest problems in stopping malware campaigns is that the perpetrators are frequently oceans apart from their eventual targets, making it nearly impossible for the cops to chase them down.
But if the law enforcers can instead just sit and wait for the next time someone spots the phony parking tickets and then start retracing the steps back to the attackers, well, you get the idea.
The really fascinating part is that almost no level of awareness to IT security issues will likely stop some people from falling for the multi-tiered attack, since it's such a cunning new approach, and since everyone hates parking tickets so much they're far more likely to abandon their good judgment and still click through to see where the heck the annoying ticket came from.
Pretty crazy stuff, you simply can't trust any unknown Web site these days and you have to have your guard up for malware scams even when you're nowhere near a computer.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.