
Malware scam appears to use GPS data to catch speeding Pennsylvania drivers - febed
http://www.theverge.com/2016/3/27/11312960/speeding-ticket-malware-scam-email-pennsylvania
======
jcrawfordor
I'm fairly skeptical of these stories, for the simple reason that this seems
like far too much effort to go to just to deliver malware. If the scammer were
trying to get people to pay the fines, that would make a lot more sense - it'd
be over $100 a mark. But commodity malware infections are worth maybe a few
dollars per host. Not much to use your clever multi-platform location-
collecting scam on.

If these stories are accurate, I suspect the malware being delivered is pretty
interesting. I think it's more likely that there's a way simpler explanation,
though.

The scammers might just be sending out emails to people that they have an
email address and physical address for (which could have come from any of a
number of data dumps), with random times and random major streets near the
physical addresses. A certain portion of the time, this will just happen to
match up closely enough with someone's real driving for them to think it
matches their memory. It only takes a few cases to get a police department to
take note and then amplify it through local media.

~~~
benguild
That was my thinking as well. It's such a sophisticated application when there
are so many easier targets.

~~~
13of40
Unless it's either (a) a crazy person stalking some specific people he already
has some information on, or (b) a campaign against specific people who are
targeted for a hack. (I guess in either case the police should be able to
connect the dots between them, but to paraphrase that Lebowski movie, I'm sure
they're working in shifts.)

------
nkurz
Here's a slightly earlier article about this:
[http://www.phillymag.com/news/2016/03/25/speeding-ticket-
sca...](http://www.phillymag.com/news/2016/03/25/speeding-ticket-scam/)

Nothing in either story explains why the victims would be geographically
clustered in Pennsylvania. But if the scam was prevalent elsewhere, I'd think
we'd be hearing more people saying "I got one too!".

I wonder if there's some other angle than a shared smartphone app explains the
locality better: a disgruntled neighbor with a radar gun, or something. The
obvious problem with any local theory, though, is that it would have to
explain discovery of the email addresses.

~~~
nsgoetz
I like how that article refers to the cops as "very sporting" for not
enforcing these fake tickets.

------
flashman
This seems like a huge amount of effort to get malware onto a computer. While
it seems technically plausible, the steps involved (getting a compromised app
onto devices, harvesting contact and location data, waiting for a subset of
the infected population to speed, then delivering more malware to them via
email) makes me rather dubious.

~~~
makomk
I'm not sure they'd need to get a compromised app on. Don't some mobile
advertising networks collect GPS data and other personal information and allow
advertisers to use it for targeting?

~~~
duskwuff
Advertising networks probably (hopefully?!) wouldn't have the user's name and
email address.

------
Matt3o12_
I'd be interested to see what kind of malware it is. Is it just a EXE that
does bad things to your computer but still requires executing and clicking the
confirm button (since it is probably not signed). If so, what decicdes does it
target? I always feel fairly save on my iPhone because there are currently no
exploits we know about (and I think a hacker is smart enough not to let it
loose on the wild. He would only use it for targeted attacks since such an
exploit is worth a lot of money and would get detected eventually). On my
phone I also can't excute Apps from outside the AppStore (I know there are
profiles and enterprise certificate but that process is a little suspicious).

Also, if the hacker already conpromised one app, what could he possibly want
to infect if the app is already effected.

What I think is that an ad company is too generous with their user data and
somebody just bought an ad that only targets that geographical region . That
would explain the territori.

------
eli
Just drivers in one locality? Sounds more like the police network has been
compromised than GPS capable malware.

~~~
towelrod
The redacted email also says it contains a picture of the license plate. How
could that come from a cracked phone?

It sounds more likely that some photo based speed trap has been compromised.

~~~
artine
It's just a link that _claims_ to be a picture of the license plate. The
link's actual target delivers malware to the device.

------
Aelinsaar
Maybe the GPS is just used to extract location info about routes taken? Then
you just look up the speed limit, and make up a plausible number, no need to
actually track their speed. Think like a con man, not a programmer.

~~~
everly
Good point, and to further your idea, even the GPS isn't necessarily required
for this scam. If you've obtained a table with everyone in the city's home
address along with every street name and speed limit in the city, then you
could phish using streets that a person is guaranteed to use when going to and
from their home. Using reasonably moderate speeding estimates it seems like a
lot of people would assume it's accurate data.

The article didn't make it clear how specific the alleged GPS data is (just
says "accurate local township road removed), so I'm skeptical of how likely it
is that GPS malware is actually being used here.

------
mschuster91
Shit if I'd done this, I'd just have attached a faked ticket with a working
bank account. Or a dead drop for people to send cheques to. No need for
malware, that doesn't pay as much as a 10$ speeding ticket.

~~~
wojt_eu
I expect you'd be easily traced by this account number and then face charges
of producing counterfeit official documents.

~~~
supremeanger
You would think that but plenty of these scams run for ages without getting
the accounts shut down.

------
matt_wulfeck
> it's suspected that the data is coming from an app with permission to track
> phone GPS data.

I'm not sure why the app stores even allow this feature to be enabled. It
seems there should be some additional vetting of applications / fees if they
want to enable this incredibly intrusive feature.

Every once in awhile I look the the privacy settings on my iPhone to make sure
I didn't accidentally enable this feature.

