E-ZPass phishing scam

Published: 2014-07-14
Last Updated: 2014-07-14 19:45:13 UTC
by Daniel Wesemann (Version: 1)
9 comment(s)

Over the last couple of days, we have been seeing a number of quite credibly looking phishing emails that impersonate toll-road providers in the US. The agency affected by the current wave is E-ZPass, a toll charging system used mainly in the Northeast. Adapting the template to match the colors and fonts of other organizations, like Florida's SunPass, would be easy to accomplish for the scammers though, so chances are that we will see more of this.

Since toll road agencies can impose stiff fines for violations or if road and bridge charges are not paid in time, people might fall for it and click on the link just to make sure. In the samples at hand, the link was pointing to www . ruckon . pl (spaces added to de-fang), and returned a ZIP with an EXE or directly an EXE. Hat tip to ISC reader Wayne for providing the latest sample.

 

If you receive similar emails that impersonate other toll road providers, please let us know.

 

Keywords: phising
9 comment(s)

Comments

Right here.

hxxp:// www. poseidwn. gr /tmp/api/X2xAyQ8C9A4[...]LXW1JMDrl+JJADKc=/toll

Mail originated at a server hosted by a company called hostable. I'll email you the full header.
Some technical details here:
http://garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html
Also here: http: //www.viverssantamaria. com/ components/api/YwKCbs[...]/zFO/8ZhdQogumi158=/toll
Email came from: 188.40.94.66 (hostup.ru)
After the user clicked the link it downloaded an .exe from the viverssantamaria domain above, the machine then started Posting to the following IPs:
207.210.106.58
151.3.8.106
76.74.184.127
88.255.149.11
113.53.247.147
203.157.142.2
91.121.70.14
142.4.60.242

At first glance appears to be some sort of new Kuluoz variant of the ASProx botnet:
http: //www.scmagazine.com/asprox-botnet-campaign-shifts-tactics-evades-detection/article/357472/1/

Snort flags it as "Kuluz/Asprox Activity".
The odd thing about this is that Virginia Dept of Transportation send out warning emails that looked bad in themselves. The headers indicated that they came from the right place but the rest was obfuscated. This confused the issue immensely. Just a few lines of text would have been better.

The result of the whole event was nontechnical folks sucked it on the initial phishing and us tech paranoids didn't open the legit email because it was packaged in a goofy way. Duh!
Oddly enough the only people I know to receive these emails (and it's quite a few) are people who have an EZPass account. People who don't have an account haven't received it. Made me suspicious, so I sent an email inquiring as to whether I should be worried about my password or credit card info. The email must have gone into a black hole because I have yet to receive any response........
> only people I know to receive these emails are people who have an EZPass account
Might be a case of sample bias :). Only people who know what EZPass is are going to recognize the phish as such and report it. Everyone else who opens the email just sees an ugly pink-mauve color scheme, and likely moves on to the next email in their inbox without wasting another thought on this. From the samples that I have seen so far, it didn't look correlated to a specific common source of address information.
I don't have an EZPass account, being Canadian.
Got another one today, it's all yours Daniel.
Old news considering the timeline on this, but I got another one of theses today. I'd be concerned about the E-ZPass database too, except that the email I received the phish from is not attached to my E-ZPass account. Also being Canadian, you can still can have an E-ZPass account.

Diary Archives