Friday, February 20, 2009

Parking Ticket Leads to PC Virus Attack

by Kevin M Nixon, MSA, CISSP, CISM, CGEIT

At 11:47 AM CST – 02-20-09 I posted this story on Daily Kos and my comment meter went off the scale.  People just couldn’t believe that something like this could be true.

I have to give a “SHOUT OUT” to my friend “Sparky” (Shannon Myers-Leitz at GotMetrics.com) for sharing this story.

Firewalls. Corrupted files. Spam with bad code.  Those were the traditional vectors hackers used to plant malware on a system or gain access to a workstation. Now they just give you a parking ticket.  

Last week the SANS Internet Storm Center discovered a case in Grand Forks, North Dakota where yellow card-like fliers presumed to be parking  tickets were found on cars in a parking lot.

The would-be tickets read: "PARKING VIOLATION: This vehicle is in violation of standard parking regulations."

The card then instructs the ticket recipient to visit a specified Web Site. From this point, hackers count on law-abiding users to go home and log on where, strangely enough, they'll see a picture the parking lot where their car was. A few clicks later, a fake Internet Explorer security alert pops up asking the user if they'd like to do a quick antivirus scan. The infection starts from there.

Lesson learned:  Go Green! Take Public Transportation.

Forensics of the Hack

With the “Parking Ticket” in hand, lawful citizens went to the website only to discover a photo of their car!

parking1rt5

The picture displayed was of cars in that location (not the ticket holders car) with the prompt to use the Picture Search Tool.  This leads the person to believe that they can search through a series of photos looking for their car.  So CLICK, and then the fun begins.

The Picture Search Tool is know as a Browser Help Object (BHO).  The BHO seemed to wait for the user to browse the Internet a bit, and then brings up a pop-up with a fake security alert:

Error Message

The initial program installed itself as a browser helper object (BHO) for Internet Exploter that downloaded a component from childhe.com and attempted to trick the victim into installing a fake anti-virus scanner from bestantispyware securityscan.com and protectionsoft warecheck.com.

Attackers continue to come up with creative ways of tricking potential victims into installing malicious software. Merging physical and virtual worlds via objects that point to websites is one way to do this. I imagine we'll be seeing such approaches more often.

© Copyright 2009 – Kevin M. Nixon – All Rights Reserved – See: Information Security Resources
(This article may be reprinted in whole or in part only with proper attribution to the author.)

No comments:

Powered By Blogger