A few weeks ago there was a quite large malspam pretending to be a Parking Charge Reminder spoofing UKPC Parking. Today the criminals behind this scam have changed tack slightly and are sending out what appears to be a Notice of Intended Prosecution (NIP) from Greater Manchester Police (GMP) . Action Fraud are aware of this and at least one of the websites delivering the malware has been shut down. There are loads of others. All the emails will have random dates and times, road names, Device numbers, random violation speeds and vehicle speeds for the alleged offence.
Update 12 December 2016: a new run of this malspam today. Details are the same as below with a difference in the sites.
Update 14 December 2016: Another malspam run of this with a few differences.
Update 4 January 2017: another malspam run with a few differences. The emails look just about identical, except the from is now allegedly from the speeding camera itself. It is wonderful what the Internet of things can do where individual speeding cameras can send you email notices of prosecution. The link in the email body no longer goes to a website where you enter a captcha. instead it goes via one URL to another which automatically downloads the zip file containing the js file.
In the example I received http://sanphamcuatui.com/nyzyfiay redirecting to http://connectw.com/finesave.php autodownload of ID_EA65359UK.zip which extracts to Photofixation.js . I am waiting for analysis of this js file. I cannot decode it to get the malware payload url myself and MALWR doesn’t find anything. Payload Security fails to save to webservice VirusTotal .
Thanks to our good friend Techhelplist we have the download URL 126.96.36.199/as/og/3/verty.exe ( MALWR) ( VirusTotal) I still don’t have a clue what it is or does though. I am informed it looks like ursnif banking Trojan.
One of the emails looks like:
From: Greater Manchester Police <email@example.com>
Date: Wed 14/12/2016 18:15
Subject: You are prosecuted for speeding – REF: 32APY44
Notice of Intended Prosecution (NIP)
In accordance with Section 1 of the Road Traffic Offenders Act 1988. we hereby apprise you that it is intended to take proceedings against the driver of motor vehicle. The email is the part of GMP Notification Service.
Particulars of the Offence
§ Fixed Speed Camera Number: 76QYL94
§ Time & Date: at 13:35 on 07/12/2016
§ Violation Location: B5207 Bryn Road, near Industrial Estate, Ashton In Makerfield, Wigan
§ Offence: EXCEED 25 MPH SPEED LIMIT
§ Your Vehicle Speed: 74
We have photographic evidence that the driver of motor vehicle failed to adhere with a speed limit at the date, time and location.
In your own case the notice was served on the owner of the motor vehicle as registered with the DVLA and your details have subsequently been supplied to us as being the driver at the time. The registered keeper, driver or legal representative may examine the photographic evidence now or later by appointment.
Examine Speeding Device Evidence Whether you agree with the NIP or not you have to complete the section 172 notice declaring who was driving the car at the time of the offence within 28 days. The NIP with the section 172 notice were sent to your mailing address. Copyright © Greater Manchester Police 2016
The malware gang have messed up with this email. The link doesn’t work. Reading behind the link we get !!!ОШИБКА ШАБЛОНА: ШАБЛОН закрыт в ‘[%%’ и ‘%%]’ НЕ ПРАВИЛЬНО!!! http://xn--c1adbannavibkecggnpf7r.xn--p1ai/g81t/save/atm6us/n0opv2kb.php%%] The Russian language translates to ERROR !!! PATTERN: PATTERN closed ‘[%%’ and ‘%%]’ NOT TRUE !!!
If you copy & paste the relevant parts to a browser you get to http://u4g4.localdrivesafe.com/enter/pointw/inserver/wbb/camera_photo/download.php ( which is once again a spoofed copy of the genuine Greater Manchester Police Casualty Reduction website) Entering the details and pressing submit downloads of a zip file 98411.zip ( probably random numbers) this extracts to Speed Detected Photo.js ( VirusTotal) Payload Security analysis shows it downloads from www.kitdoors.ru/wp-content/uploads/2014/01/b8lkifnzd/Coupon9854.pdf ( which is not a pdf but a renamed .exe file) and is renamed by the script to adprtext.exe ( VirusTotal)
Hundreds if not thousands of recipients might well be persuaded to follow the links in the email. We have all heard of innocent motorists who have received speeding tickets from hundreds of miles away, when you have never been to the town in question. It is unfortunately a common occurrence for number plates to be cloned and used in a totally different area to avoid speeding and parking fines for the criminals. It takes a lot of evidence to actually prove that you were not the offender.
One of the emails looks like:
From: Greater Manchester Police <firstname.lastname@example.org>
Date: 06 December 2016 16:25
Subject: Notice of Intended Prosecution G63119
Notice of Intended Prosecution (NIP)
In accordance with Section 1 of the Road Traffic Offenders Act 1988. we hereby apprise you that it is mandatory to take proceedings against the driver of motor vehicle. The email is the part of GMP Notification Service.
Particulars of the Offence
§ Fixed Speed Camera PBN: 15UXV23
§ Time & Date: at 11:23 on 06/12/2016
§ Violation Location: High Street, Burton Street
§ Offence: EXCEED 30 MPH SPEED LIMIT
§ Your Vehicle Speed: 84
We have photographic evidence that the driver of motor vehicle failed to comply with a speed limit at the date, time and location.
In your own case the notice was served on the keeper of the vehicle as registered with the DVLA and your details have subsequently been supplied to us as being the driver at the moment. The registered keeper, driver or legal representative may examine the photographic evidence now or later by appointment.
Examine Fixed Speed Camera Evidence Whether you agree with the NIP or not you have to fill out the section 172 notice declaring who was driving the car at the time of the offence within 28 days. The NIP with the section 172 notice were sent to your mailing address. Copyright © Greater Manchester Police 2016
If you follow the link in the email, you get a page looking like this, which is a good copy of the genuine GMP / casualty reduction partnership page. Sites discovered include:
The genuine Greater Manchester Casualty reduction partnership site is http://www.drivesafe.org.uk the fake ones delivering this malware are carefully created to look and sound identical to the genuine one. They use very similar domain names. ukdrivesafe.com and drivesafeuk.net
The fake sites look like this screenshot. The banner under submit is a rotating banner and changes every few seconds, so it might not look exactly the same.
Once you enter the required captcha in the box & press submit, you get a download of a zip file 87568.zip this extracts to Speeding camera photo.js ( VirusTotal) Payload Security analysis shows it downloads from http://billionsm.ru/wp-includes/Text/1l6kx6/Tax_info_user_00121.pdf ( which is not a pdf but a renamed .exe file) and is renamed by the script to adprtext.exe ( VirusTotal)
Other download sites we are aware of so far include:
- chenlijian.xyz/wp-content/themes/sketch/ii71d00naw/Unique_ticket.pdf ( 12 December 2016) ( VirusTotal) ( payload Security )
All these malicious emails are either designed to steal your Passwords, Bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials. Or they are Ransomware versions that encrypt your files and demand large sums of money to recover the files.All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found.
The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
There are frequently dozens or even hundreds of different download locations, sometimes delivering the exactly same malware from all locations and sometimes slightly different malware versions from each one. Dridex, Locky and many other malwares do update at frequent intervals during the day, sometimes as quickly as every hour, so you might get a different version of these nasty Ransomware or Banking password stealer Trojans to the version we list here.
Be very careful with email attachments. All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.
If you see .JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.