Phishers Bait City Workers in Seattle With Phony Speeding Tickets

Hundreds of government employees in Seattle, Washington received fraudulent emails yesterday that appeared to be traffic violation notifications but were, in fact, vehicles for infection by malicious software.

Hundreds of government employees in Seattle, Washington received fraudulent emails yesterday that appeared to be traffic violation notifications but were, in fact, vehicles for infection by malicious software.

According to the Microsoft Malware Protection Center and the Seattle Police Department, hundreds of individuals with Seattle.gov e-mail addresses began receiving the fraudulent parking ticket announcements on Thursday. The messages have the subject “Seattle Traffic Ticket” and claim the recipient committed one of a number of violations, including speeding. 

Clicking a hyperlink in the e-mail message loads an iframe that redirects users to a Ukrainian IP address. According to TechNet, the site contains an obfuscated JavaScript that exploits bug in the Microsoft Data Access Components (MDAC) that was patched in 2006.

If successful, the exploit will download an executable from a .ru domain. Windows is detecting the file as Worm:Won32/Cridex.B. The malware then attempts to connect via SSL to “jahramainso[dot]com.” The malware can also update itself by communicating with its command and control server. The host appears to be deploying the same file at present that was detected in the initial infection, but the authors may try to evade detection by altering the host with which it communicates.

According to a blog post from the Seattle Police department, the email reads as follows:

From:

Sent: Tuesday, January 17, 2012 8:18 PM

To:

Subject: SEATTLE TRAFFIC TICKET

Seattle — Department of Motor Vehicles

TRAFFIC TICKET

SEATTLE POLICE DEPARTMENT

THE PERSON CHARGED AS FOLLOWS

Time: 0:11 AM

Date of Offense: 20/12/2011

SPEED OVER 50 ZONE

TO PLEAD CLICK HERE AND FILL OUT THE FORM

The bottom line of the email contains a link which contains the poisoned link. Individuals with updated systems are not vulnerable to this attack.

Read more on Microsoft’s Technet Web site

Suggested articles

Discussion

  • Anonymous on

    A little funny and sad. Patch the damn OS.

  • SeattleCISO on

    Seattle employees have finely tuned radar for this cruft, and we partner with MSFT and other orgs for quick analysis.  We also had the vulnerability patched back in the Pleistocene and the link blocked within minutes of first receipt.  Seattle employees are not the issue - this is a national (so far) campaign, and the real impact is to unsuspecting home users.  An auto-response to any e-mail with that subject line lets the users know this is a scam, and to take appropriate steps if they've hit the link and been compromised.

    Note that this is similar to an attack using a King County property tax bill, although that was international (about 3 weeks ago).

    We seem to be popular bait.  I guess you could call that brand strength.

     

  • Anonymous on

    Why target a few Seattle city employees whens there's the entire IRS to go after. Just saying.

  • jaffa on

    Great.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.