US cities are warning of an ongoing mobile phishing campaign pretending to be texts from the city's parking violation departments about unpaid parking invoices, that if unpaid, will incur an additional $35 fine per day.
While parking scams have been around for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, San Francisco, and many others.
The current wave of texts started last December and has continued since, with BleepingComputer receiving a text targeting New York residents earlier this week.
The text message received by BleepingComputer claims to be from the City of New York about an unpaid parking invoice, which would incur a daily $35 fine if not paid. The text then prompts you to visit an enclosed link to pay the fine.
"This is a final reminder from the City of New York regarding the unpaid parking invoice. A $35 daily overdue fee will be charged if payment is not made today," reads the phishing text.
This same phishing template is used in texts about unpaid parking invoices from other cities seen by BleepingComputer.
Source: BleepingComputer
To circumvent this, the scammers use an open redirect on Google.com to redirect users to a phishing site named after the city it is impersonating. For example, the phishing site for New York City is nycparkclient[.]com.
Over the past year, Apple introduced a security feature that disables links in text messages from unknown senders and suspicious domains.
As Google.com is a trusted domain, Apple iMessage does not disable the link, so using the company's open redirect makes it easier to trick unsuspecting users into clicking on the link by mistake.
In the New York City phishing campaign, clicking on the link brings you to a website pretending to be "NYC Department of Finance: Parking and Camera Violations," which will prompt you to enter your name and zip code.
At this point, you can enter any name and zip code and will be brought to a page stating, "Your vehicle has an unpaid parking invoice in City of New York. To avoid a late fees of 35$, please settle your balance promptly."
The balance owed varies per campaign, with the one received by BleepingComputer stating that we owed $4.60.
Source: BleepingComputer
However, as you can see from the images below, there is a tell-tale sign that this is a scam, as the dollar sign is displayed after the amount, rather than before, as is customary in the US. This further indicates that the phishing scam was created by people outside of the US.
Clicking on the "Proceed Now" button brings you to the screen where the threat actors attempt to steal your data, including your name, address, phone number, email address, and, eventually, your credit card information.
This information can then be used for a wide variety of malicous activity, including further phishing attacks, identity theft, financial fraud, and the sale of your data to other threat actors.
As a general rule, if you receive a text from an unknown phone number or email address that is an out-of-the-blue greeting or asks you to click a link, pay a bill, or respond in some manner, you should report and block the number instead.
Related Articles:
New Darcula phishing service targets iPhone users via iMessage
Phishing texts trick Apple iMessage users into disabling protection
Malicious Chrome extensions can spoof password managers in new attack
YouTube warns of AI-generated video of its CEO used in phishing attacks
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint
Original Article Published at Bleeping Computer
________________________________________________________________________________________________________________________________
