Drivers targeted by GPS-based Phishing scam

Police in Tredyffrin, Pennsylvania are warning drivers about a new scam that uses accurate GPS information. The messages being sent to drivers claim to be speeding tickets; and in order to lend legitimacy to the scam, they contain accurate personal information as well as location data.

The emails contain an attachment, but it isn’t clear if the attachment itself is malicious. To be on the safe side, drivers are warned to avoid opening the attachment, because if it is malicious it could infect the system.

The email contains the victim’s first and last name, and it’s addressed to an email address they’re familiar with. In addition to accurate personal details, the email also contain valid GPS information (including roads traveled and speed.)

An example of the email was provided by the law enforcement agency:

From: Speeding Citation

To: [REDACTED]

Date: 03/11/2016 03:08 PM

Subject: [External] Notification of excess speed

First Name: [REDACTED]

Last Name: [REDACTED]

Notification of excess speed

Route: [REDACTED]

Date: 8 March 2016

Time: 7:55 am

Speed Limit: 40

Detected Speed: 52

The Infraction Statement contains an image of your license plate and the citation which must be paid in 5 working days.

The Tredyffrin police department raised the alert last week, and promptly notified other local police departments and the district courts.

The source of the GPS data isn’t known, but given the level of accuracy in the information provided, Tredyffrin police have placed the blame on some type of traffic or mobility application.

It’s possible the application isn’t malicious itself, but the information collected is being used for malicious purposes. This means the application could come from a third-party source, or directly from Google Play or iTunes.

Another possibility is that the information is being recorded in a database that has been left available to the public online (e.g. a poorly configured MongoDB instance) and criminals are abusing the stored data.

Either way, the Tredyffrin police department reminds drivers that citations such as this wouldn’t be delivered by their agency. Drivers who receive such a notification should ignore it.

At this time, it isn’t clear if drivers outside of Tredyffrin, Pennsylvania have received similar notifications.

“Many consumers will readily dismiss the possibility that someone would care about their location data, but this is a prime example of how this seemingly low value data can play into a larger attack,” said Craig Young, a cybersecurity researcher for Tripwire.

“While a fake speeding ticket email might ordinarily be recognized as fake and ignored, including a person’s name along with a road they regularly drive immediately gives authenticity to the scam making it far more likely that the attack will succeed. Social engineering is one of the most fundamental tools in the hacking toolkit and every hacker knows that realism is key in these efforts.”