I'm fairly skeptical of these stories, for the simple reason that this seems like far too much effort to go to just to deliver malware. If the scammer were trying to get people to pay the fines, that would make a lot more sense - it'd be over $100 a mark. But commodity malware infections are worth maybe a few dollars per host. Not much to use your clever multi-platform location-collecting scam on.

If these stories are accurate, I suspect the malware being delivered is pretty interesting. I think it's more likely that there's a way simpler explanation, though.

The scammers might just be sending out emails to people that they have an email address and physical address for (which could have come from any of a number of data dumps), with random times and random major streets near the physical addresses. A certain portion of the time, this will just happen to match up closely enough with someone's real driving for them to think it matches their memory. It only takes a few cases to get a police department to take note and then amplify it through local media.

Looking at the linked police statement, it seems likely to be spear phishing targeted at a company in the area.

> A local corporation contacted the police department advising that an employee had received an email

You'd get an infected phone and a linked infected Computer. This can bypass 2-factor authentication (e.g. for Banking with TAN by sms)

The primary objective might be to get them to pay the fine. But since they don't have an actual photograph of the license plate, they may have played malware at the license plate link as a secondary objective?

They say these events are very localised atvthe moment. Maybe they are targeting/fishing for someone in particular?

That was my thinking as well. It's such a sophisticated application when there are so many easier targets.

Unless it's either (a) a crazy person stalking some specific people he already has some information on, or (b) a campaign against specific people who are targeted for a hack. (I guess in either case the police should be able to connect the dots between them, but to paraphrase that Lebowski movie, I'm sure they're working in shifts.)

Here's a slightly earlier article about this: http://www.phillymag.com/news/2016/03/25/speeding-ticket-sca...

Nothing in either story explains why the victims would be geographically clustered in Pennsylvania. But if the scam was prevalent elsewhere, I'd think we'd be hearing more people saying "I got one too!".

I wonder if there's some other angle than a shared smartphone app explains the locality better: a disgruntled neighbor with a radar gun, or something. The obvious problem with any local theory, though, is that it would have to explain discovery of the email addresses.

I like how that article refers to the cops as "very sporting" for not enforcing these fake tickets.

A local business or gov't entity got breached, possibly an insider, and due to living there now or in the past has local knowledge of popular roads that 80% of their targets would be familiar with. Or if they didn't live there it'd be pretty easy to use public records to see where traffic tickets are given out most, where traffic cams are installed, etc.

This seems like a huge amount of effort to get malware onto a computer. While it seems technically plausible, the steps involved (getting a compromised app onto devices, harvesting contact and location data, waiting for a subset of the infected population to speed, then delivering more malware to them via email) makes me rather dubious.

I'm not sure they'd need to get a compromised app on. Don't some mobile advertising networks collect GPS data and other personal information and allow advertisers to use it for targeting?

Advertising networks probably (hopefully?!) wouldn't have the user's name and email address.

This is exactly why you wouldn't suspect it to be malware. :)

It seems like after the initial program this type of scam doesn't require that much effort.. just let the programs run.

Also.. "waiting for a subset of the infected population to speed" I'm gonna go ahead and say that subset is about 99% of the population. Even if you don't speed, like most people do, there's plenty of areas for this malware to "catch" you, like when the speed limit drops unexpectedly or you are not sure of it when pulling on to a road.

I'd be interested to see what kind of malware it is. Is it just a EXE that does bad things to your computer but still requires executing and clicking the confirm button (since it is probably not signed). If so, what decicdes does it target? I always feel fairly save on my iPhone because there are currently no exploits we know about (and I think a hacker is smart enough not to let it loose on the wild. He would only use it for targeted attacks since such an exploit is worth a lot of money and would get detected eventually). On my phone I also can't excute Apps from outside the AppStore (I know there are profiles and enterprise certificate but that process is a little suspicious).

Also, if the hacker already conpromised one app, what could he possibly want to infect if the app is already effected.

What I think is that an ad company is too generous with their user data and somebody just bought an ad that only targets that geographical region . That would explain the territori.

Just drivers in one locality? Sounds more like the police network has been compromised than GPS capable malware.

The redacted email also says it contains a picture of the license plate. How could that come from a cracked phone?

It sounds more likely that some photo based speed trap has been compromised.

It's just a link that claims to be a picture of the license plate. The link's actual target delivers malware to the device.

The malware could have some local vector, I highly doubt the police network would have that level of access *scared emoji.

I've consulted on software projects for police networks. Admin level access is easy to come by. There's a lot of trust in firewalls, once you're beyond that it can be fairly open.

Maybe the GPS is just used to extract location info about routes taken? Then you just look up the speed limit, and make up a plausible number, no need to actually track their speed. Think like a con man, not a programmer.

Good point, and to further your idea, even the GPS isn't necessarily required for this scam. If you've obtained a table with everyone in the city's home address along with every street name and speed limit in the city, then you could phish using streets that a person is guaranteed to use when going to and from their home. Using reasonably moderate speeding estimates it seems like a lot of people would assume it's accurate data.

The article didn't make it clear how specific the alleged GPS data is (just says "accurate local township road removed), so I'm skeptical of how likely it is that GPS malware is actually being used here.

Shit if I'd done this, I'd just have attached a faked ticket with a working bank account. Or a dead drop for people to send cheques to. No need for malware, that doesn't pay as much as a 10$ speeding ticket.

I expect you'd be easily traced by this account number and then face charges of producing counterfeit official documents.

You would think that but plenty of these scams run for ages without getting the accounts shut down.