Authorities are warning users to be on the lookout for a speeding ticket scam that attempts to extort money from victims using fake email citations.
Earlier in March, the Tredyffrin Police Department wrote a post on the web portal for Chester County, Pennsylvania in which it explains how it came across the spam campaign.
“A local corporation contacted the police department advising that an employee had received an email indicating that he/she was speeding on local roads and needed to remit funds (in the form a fine) to ‘Citation@safe-browsing.com’ which provided a link and attachments for sending the funds,” the police department writes.
The scam email sent to the employee included the individual’s name as well as their correct speed, time, and location, which has raised the Tredyffrin Police Department’s suspicions that a “free mobility or traffic app” containing drivers’ information might have been hacked.
You can view a template for this spam campaign’s fake emails below:
In commenting on this scam, Salted Hash posits that attackers could have obtained the GPS information from a benign application and are now using it for malicious purposes. Alternatively, scammers could have accessed the information from a database that was left open online to the public, such as a poorly configured MongoDB.
Police departments and local courts in and around Chester County have been made aware of this campaign, though it is not clear how many users might have been exposed to the scam already.
“Many consumers will readily dismiss the possibility that someone would care about their location data, but this is a prime example of how this seemingly low value data can play into a larger attack,” said Craig Young, a cybersecurity researcher for Tripwire. “While a fake speeding ticket email might ordinarily be recognized as fake and ignored, including a person’s name along with a road they regularly drive immediately gives authenticity to the scam making it far more likely that the attack will succeed. Social engineering is one of the most fundamental tools in the hacking toolkit and every hacker knows that realism is key in these efforts.”
As it investigates this ongoing campaign, Tredyffrin Police Department would like to remind users that it never sends out citations in the form of an email or an email attachment.
It is also careful to point out that those who come across this scam should not open the email attachment, as attackers commonly disguise ransomware, spyware, and other malicious programs as seemingly legitimate email attachments and disseminate them via phishing attacks.
Softpedia reports that no malware is believed to have been distributed by this scam at this time.