Hundreds of government employees in Seattle, Washington received fraudulent emails yesterday that appeared to be traffic violation notifications but were, in fact, vehicles for infection by malicious software.
According to the Microsoft Malware Protection Center and the Seattle Police Department, hundreds of individuals with Seattle.gov e-mail addresses began receiving the fraudulent parking ticket announcements on Thursday. The messages have the subject “Seattle Traffic Ticket” and claim the recipient committed one of a number of violations, including speeding.
Clicking a hyperlink in the e-mail message loads an iframe that redirects users to a Ukrainian IP address. According to TechNet, the site contains an obfuscated JavaScript that exploits bug in the Microsoft Data Access Components (MDAC) that was patched in 2006.
If successful, the exploit will download an executable from a .ru domain. Windows is detecting the file as Worm:Won32/Cridex.B. The malware then attempts to connect via SSL to “jahramainso[dot]com.” The malware can also update itself by communicating with its command and control server. The host appears to be deploying the same file at present that was detected in the initial infection, but the authors may try to evade detection by altering the host with which it communicates.
According to a blog post from the Seattle Police department, the email reads as follows:
From:
Sent: Tuesday, January 17, 2012 8:18 PM
To:
Subject: SEATTLE TRAFFIC TICKET
Seattle — Department of Motor Vehicles
TRAFFIC TICKET
SEATTLE POLICE DEPARTMENT
THE PERSON CHARGED AS FOLLOWS
Time: 0:11 AM
Date of Offense: 20/12/2011
SPEED OVER 50 ZONE
TO PLEAD CLICK HERE AND FILL OUT THE FORM
The bottom line of the email contains a link which contains the poisoned link. Individuals with updated systems are not vulnerable to this attack.
Read more on Microsoft’s Technet Web site.
