Parking Ticket Scam Reminds That Identity Theft Is Still a Threat

February 08, 2009 08:01 AM
by Anne Szustek
A recent scheme involving fake parking tickets that instructed victims to go to a malware-installing Web site reinforces the need for online security vigilance.

Ticket Left on Windshield Is Really Online Scam

Shoppers in the Grand Forks, N.D., area found parking tickets lodged under their windshields recently.

The text of the tickets read, “PARKING VIOLATION This vehicle is in violation of standard parking regulations,” according to Ticket recipients were then told to go to a Web site so that they could “view pictures with information about your parking preferences” and install a toolbar.

It turns out that the so-called “toolbar” installation was a ruse to get the ticket recipients to download a Trojan Horse which installed malware, including a message informing of purported security flaws and suggesting the download of bogus anti-virus software.

Both the file and the security download had been flagged by McAfee anti-virus software. But the North Dakota-area ploy is momentous for reasons beyond the immediate threat to online security: it used real-world documents in order to conduct cyber-theft.

“Attackers continue to come up with creative ways of tricking potential victims into installing malicious software,” SANS Internet Storm Center researcher Lenny Zelster, who blew open the scheme, was quoted as saying by The Christian Science Monitor. “Merging physical and virtual worlds via objects that point to website is one way to do this. I imagine we’ll be seeing such approaches more often.”

Related Topic: Other recent banking security breaches

The Grand Forks parking ticket scam is the latest hacker ploy uncovered over the past few months.

On Dec. 23, Atlanta payment services company RBS WorldPay disclosed that hackers had stolen some $9 million from people who received their salaries from payroll cards issued by RBS.

The hackers used the workers’ personal data and cards to get the money from ATMs in 49 cities including Chicago, Montreal, Hong Kong, New York and Moscow.

FBI Atlanta field office spokesperson Steve Lazarus, not confirming the $9 million amount, was quoted as saying by The Washington Post, “This was a well-coordinated attack by some pretty computer and network savvy people, even at the lowest levels of cashers taking cloned cards to ATMs.”

Ori Eisen, the founder of 41st Parameter, a fraud-loss consultancy, told The Washington Post that the ATM theft scheme was no shock, given that three of his clients informed him that ATM fraud was the reason for the loss of $50 million just in New York City over the course of one month.

Another payment systems company reported a security breach due to hacking last month. Princeton, N.J.-based Heartland Payment Systems was the victim of what it called one of the largest-ever personal information heists. According to the Arkansas Democrat-Gazette, Heartland “processes 100 million transactions a month for more than 250,000 businesses in the country,” with some 2 to 3 percent of those from companies in Arkansas.

Heartland launched a Web site to help assuage customers’ concerns. In the meantime, Arkansas banks Simmons First National and Bank of the Ozarks are issuing new debit cards to customers whose information may have been stolen. Bank of the Ozarks Vice Chairman Mark Ross told the Arkansas Democrat-Gazette that the data heist could also have reverberations nationwide due to Heartland’s heavy volume.

Retailers have also fallen prey to hackers. In August, federal officials arrested 11 people, three of them Americans, for charges of theft, conspiracy, computer intrusion and illegal sale of credit card data in connection with an alleged credit card fraud ring. Miami resident Albert “Segvec” Gonzalez, according to a grand jury indictment, apparently drove around Miami in search of unlocked Wi-Fi networks, allegedly hacking into the computer systems of BJ’s Wholesale Club in 2003. One of Gonzalez’s suspected co-conspirators broke into the customer data of TJX, which owns T.J. Maxx and Marshalls. Officials say that the group allegedly installed a program that showed TJX customer credit card data in real time.

TJX disclosed in March 2007 that hackers broke into its systems in July 2005 to mine some 45.7 million credit card numbers. According to company statements, a group of hackers first broke into records in July 2005, accessing transaction data spanning from January to November 2003. The company said that many of the credit cards had expired by that point, and that employees had already “deleted much of the transaction data in the normal course of business between the time of the breach and the time that TJX detected it, making it impossible to know how many total cards were affected,” wrote the Associated Press.

Reference: Guide to internet security


Most Recent Beyond The Headlines