Monday, March 28, 2016

Malware-laden "speeding ticket" emails crafted using GPS data from users' own phone

Over the weekend, I came across an ingenious phishing scam seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).

Targeted victims receive an email similar to the following:



As the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a "free mobility or traffic APP" is involved. The attached "infraction statement" does not actually contain a license image nor any means of paying a fine; instead, it contains malware.


This particular event appears very focused, currently only targeting residents of Tredyffrin Township, a small town northwest of Philadelphia. The concept though is quite clever - and could have implications for enterprises. Many phishing campaigns send generic information to large numbers of targets, in the hopes that a few will randomly be acted upon. The more information an attacker has to craft a targeted phish, the more likely it is to be successful. A phish created using real data from the user's own device can be very effective and very hard to detect as fraudulent, even for an alert user.



What can you do?


This particular scam has only been seen in Tredyffrin, but there is no reason to think it could not be reused elsewhere. Some things you can consider:

  • I am not aware of any government authority that legitimately sends citations by email. Tredyffrin Police specifically state that citations are never emailed or sent in the form of an email attachment. The same is true of the IRS, another authority commonly imitated for phishing malware scams.

    If you receive any unexpected email with attachments, even if (especially if) it appears to be from a government authority, treat it with skepticism. Call the authority, or go to their actual website, before opening any attachment.
  • Pay attention to the permissions requested by mobile apps. Local police suspect this scam uses a mobile app that was granted permission to access your device GPS sensors. Mobile apps demanding permissions they do not actually need are a rampant problem - for instance, I've written of the creepy behavior of a Texas-based sandwich shop's loyalty app.
     
  • On Android devices, turn off app installation from Unknown Sources. There is not enough information made public to say this particular scam originated with an off-market mobile app, but as a general rule Apps installed from lesser-known markets though are highly risky. Google Play, and Amazon's App Store for Android, have a decent (not perfect, but decent) record of finding and eliminating malicious apps. 

Update March 28 afternoon: Security firm KnowBe4 reports receiving word from a security researcher, who says this was his own project to test his own employees' response to a well-crafted phishing email, and not an actual scam in the wild. As this unnamed researcher states, his test scenario was so believable that a recipient forwarded it to the local police department, from whence news went viral.

While this may be true, the technique is incredibly effective and likely to be duplicated by actual attackers in the future. The above recommendations still hold true.