Either these people are stupid, or they make a lot more money from a single successful exploit than I ever imagined. Look at the time it would take to cover many cars like this, then the obstacles to overcome before they get control of a computer:

1.) Target needs to think the ticket is real,
2.) And must believe going online is better than checking with the police.
3.) The target needs to have a computer,
4.) With Internet access,
5.) And be fairly comfortable on the Internet,
6.) Yet not be so tech-savvy as to realize the ploy.
7.) Then must be interested enough to check for photos of their vehicle,
8.) And chooses to install a toolbar to see.
9.) Must not have reliable security software,
10.) And is presumably running an unpatched OS.

Those are just what I can think of off the top of my head, yet any link missing from that chain will cause the whole thing to fail.

This seems like a very inefficient way to deliver a payload.

Does anyone remember the printouts of Mickey Mouse displaying a rude hand sign, with the words "Nice parking [expletive], next time leave me a can opener to get out of the parking space next to you!"? Knew someone who kept a stack of these in his car.

Related, look up the sites venting frustration over lousy or selfish parking.

Maybe this is a variation on these old vents. Everyone hates scammers/spammers, make it out to be one of them. Seems just too localized to be anything else . . . .

I knew someone with a stack of those back in the early 1990's.

They made it at least as far as UK.

You have to admire the ingineousness and the effort these guys put into their schemes.

I'm with MatthewHSE on his list of requirements, however I think he's underestimated the number of morons on the internet. Most people are internet savvy when it comes to punching a web address, blogging, or saddening your life on Facecrap, but those same users are also idiots. They'll click on 'yes' to anything that pops up.

Add to that the fact they are pissed off they have a ticket, don't believe they should have it and want to see the proof.

These schemes absolutely do work. Just like SPAM email actually works and makes the scammers millions.

If these guys put that absolute genius to good work, I'm sure they could be extremely successful in the advertising world. Hey, if they could get me as many customers as they do through spam then I'd pay em'!

Hats off to them I say, the problem is with simpletons who blindly accept popups, not them.

I thin martinibuster used the words 'ignorant and ambitious' to describe folks like this.

---

System: The following 2 messages were spliced on to this thread from: http://www.webmasterworld.com/foo/3843573.htm [webmasterworld.com] by tedster - 3:05 am on Feb. 6, 2009 (EDT -5)

---

[news.bbc.co.uk...]

Hackers have discovered a new way of duping users onto fraudulent websites: fake parking tickets.

Cars in the US had traffic violation tickets placed on the windscreen, which then directed users to a website.

The website claimed to have photos of the alleged parking violation, but then tricks users into downloading a virus.

This is sneaky and I'm sure there will be many variations on this theme if it proves to be successful. I'm guessing few computer professionals would fall for this sort of scam, but it may be worth warning family and friends.

Kaled.

Wow, what's infection vector is next? Those signs along the side of the road with strange domain names for dating services? ;)

This is pretty big news. I am extremely switched on (or at least I think I am) when it comes to online stuff but when they try and target you in the real world, that is scary.

I wonder just how many newspapers etc fully check urls before their ads run. And that is just one example.

This parking ticket example is quite worrying.

Something about this story just doesn't ring true with me. Too many specifics are missing:

"Cars in the U.S." and "vehicles in Grand Forks" -- how many cars? 1 car? 5 cars? 500 cars? 5000?

Where were these cars parked? In one particular lot in the city? Or at a bunch of random places around town? Were they indeed parked illegally?

I've not seen a single reference to any actual car owner who found one of these fake tickets on his car. Are there any such people?

Did any of these car owners actually fall for the scam and install the fake toolbar and install the fake anti-virus program?

Did any car owners contact the city or county about their fake parking ticket? Did the city or county have any comments on the scam being perpetrated on its residents?

How did this scam come to the attention of the SANS Institute? Did one of the car owners contact them?

Have these fake parking tickets cropped up anywhere other than Grand Forks?

I have no trouble believing that the malware itself is real. There are specifics a-plenty on that. But I have to wonder if this report might not be a ploy designed to induce panic over a new "attack vector" and get more people to buy someone's anti-virus software, or perhaps an underhanded link-building campaign.

Does anyone have any more specifics on this story? I can find nothing beyond what's in the original report, which is too light on details to be truly believable.

Here's the SANS Institute report:

[isc.sans.org...]

Yes, I've read that report. None of the details I referred to are included.

Ah ha! Today the Grand Forks Herald has an article about these fake parking tickets, in which they show an image of the actual flier and name one person who actually received one of these fliers, followed the link, and got his computer infected.

The story becomes more believable when real details of actual incidents are available.

In looking at the image of the "fake parking ticket", and the web address that it directs people to, it's surprising that anyone fell for this. The flier looks nothing like a real parking ticket, and the domain name is a dead giveaway that it's not any sort of official site to pay a parking ticket.

So someone gets this totally bogus-looking "flier" accusing them of violating "standard parking regulations" and it directs them to visit a web site with a totally bogus-sounding domain name, and they do that, and they download and install a toolbar, and they're surprised that they got a virus?

None of the components of this scam looked even remotely real or official. This particular scam is only dangerous to people who click anything without thinking.

>This particular scam is only dangerous to people who click anything without thinking.

And there's lots of them about.

In addition, people are naturally curious.

I haven't seen the picture of the bogus tickets but I am sure that I could mock up something that looked genuine. It would need:
1. the standard plastic envelopes used for affixing tickets to the windscreen.
2. paper of a size that fitted the envelope
3. a url that looked as if it belonged to the sort of contractor that issues tickets.
If they got those three right then even I might fall for it unless I knew who the contractor for that location was.

I don't see the point however as it would be exposed far too quickly.

To me, it isn't the implementation that's impressive, it's the concept. Suppose someone targeted car parks with "claim your free pizza" fliers - plenty of people would bite!

The question is would enough people would fall for a scam of this sort to make the additional expense worth while. My instinct is no, but I could be wrong.

Kaled.

Its all very clever if you ask me