Share:

Earlier this week, reports surfaced about a new E-Z Pass scam. The spam campaign used the E-ZPass branding to fool recipients into visiting a malicious website. E-Z Pass is the electronic toll collection system used by several state departments of transportation.

The E-Z Pass scam emails are likely to be sent to a large number of individuals who use the system, after all, the toll system is used in many cities. One of the emails we captured is shown in the image below. As you can see, the E-Z Pass scam emails use appropriate branding, and warn the recipient that they have not paid for driving on a tol road. A link to an invoice is included that will allow the recipient to view their invoice.

A quick search of PhishMe’s threat intelligence database shows that this is not the only email of this type that has been intercepted. The following related emails were also captured:

date    |                subject                |           sender_name
————+—————————————+———————————
2014-07-08 | In arrears for driving on toll road   | E-ZPass Collection Agency
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | In arrears for driving on toll road   | E-ZPass Customer Service Center
2014-07-08 | In arrears for driving on toll road   | E-ZPass Info
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Collection Agency
2014-07-08 | Indebted for driving on toll road     | E-ZPass Customer Service Center
2014-07-08 | Indebted for driving on toll road     | E-ZPass Info
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Collection Agency
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Indebtedness for driving on toll road | E-ZPass Customer Service Center
2014-07-08 | Pay for driving on toll road          | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info
2014-07-08 | Payment for driving on toll road      | E-ZPass Info

As you can see, while the E-Z Pass scam uses appropriate branding, the destination websites of the links are certainly not genuine. None of these are used for E-Z Pass.

machine          |                               path
—————————+——————————————————————-
www.federalparts.com.ar   | /tmp/api/3eLv aFKXBvmuxydKFVfEZIMWSl7f4VJfOpfcdAHPeo=/toll
www.fiestasnightclub.com  | /tmp/api/kJ1a5XRhE7MM9YhRVR1186why1TgPCPH7aieECyjb I=/toll
www.flavazstylingteam.com | /tmp/api/vBrLdEDWRK4sXs6KaHEbWzHnbEYIFSo42BZvGd4crCY=/toll
www.fleavalley.com        | /tmp/api/ycI2IRHcInDd1/cetyLMZMjwyxKxTAEHFkjk1dRUfYs=/toll
www.frazeryorke.com       | /wp-content/api/LtvaZdAvP3GFuaqyulY/C3haFCeID3krbtMHt52cdnM=/toll
www.fsp-ugthuelva.org     | /tmp/api/fMVyiIXcbY9gamr17zPrnhTgz2Zvs825GTmvvRjlTIA=/toll
www.fyaudit.eu            | /components/api/yiBOsvUdvftbCd4Fa1zmVtIkbs4x3ThiUnFoIgwyI9Q=/toll
www.giedrowicz.pl         | /tmp/api/R4a4iKmACUtWoRHq1DsCiQ1aH 3J7QgBMfp1zq8gqj8=/toll
www.gostudy.ca            | /components/api/Q/sV7HtfnZGOW4lzlLSfFuKM/lLu8LQmOlT TVXKb2o=/toll
www.graphiktec.com        | /tmp/api/nZbX6I6vYQrsTlY4OAw44Qq96Lnw/JOoLDdBmdLh21M=/toll
www.h2oasisinc.com        | /components/api/BivlBt/AhVodCMM9zRuvcQpIyG2X6Knd8sERnP1 QDA=/toll
www.habicher.eu           | /tmp/api/yra96tiDlyYbYxsbJpr/hDVSPmwh6GKYLF6PaD3nUAI=/toll
www.grupoancon.com        | /components/api/6jI99hwDmjAvkEvuX8JvVSkS3InPtLii ZN3dbIVkOM=/toll
www.happymaree.com.au     | /tmp/api/d4ik5Y2GvCVSSJQhXI9wYYpBvxjLS78peeRYMKV0V7c=/toll
www.headspokerfest.com    | /tmp/api/RTuPCuYLjaj1KnTeJrMlCoH9HL4IixR eBvajB6TCeE=/toll
www.headspokerfest.com    | /tmp/api/43J6l5G/CkNp6kmGl0b jUY/oOL4411pPds8nylDE5g=/toll

Naturally, we visited the one of the URLs to find out what would happen. Clicking on the link would result in a prompt to download a zip file, which presumably would contain the invoice. Instead of a Word file, Excel spreadsheet, or PDF file, the zip file contained an  executable (.exe) file.

Both are named for the city and ZIP code to which we are connected.

For example, this relates to an E-Z Pass charge in Birmingham, Alabama.

When we run this malware, it attempts to make contact command and control servers at the following locations:

76.74.184.127:443
113.53.247.147:443
50.57.139.41:8080
188.165.192.116:8080
82.150.199.140:8080
203.157.142.2:8080
212.45.17.15:8080
92.240.232.232:443
188.165.192.116:8080

PhishMe has been tracking the ASProx botnet for some time. Most of these IP addresses were already known to belong to the ASProx botnetand have been used for some time. In fact, this botnet was used to send the Holiday Delivery Failure spam emails that imitated Walmart, CostCo, and BestBuy during the holiday season, and also Court Related Malware in early 2014.