New offline phish technique targets noobs & luddites

Who is least likely to recognize a phish when he sees one? A noob or a luddite right? As more and more people get online, more and more people are getting savvy about phish scams. The only people still likely to be highly vulnerable are those people who still don’t have internet woven into their daily life. We all know someone like this, and if you are reading this blog you are probably NOT one. These folks hate going online and they check their email once a week or so, if at all. They delete all email unless someone phones them and tells them “Look for an email from me.” They are clueless about the internet and tend to believe things are what they seem to be. Ideal victims, but how would you push a phish in their face in the first place?

In order to scam this population where they live, you would have to go offline — either the phone or the real world. The telephone scam where you get them to give up their CVV code requires that you already have stolen their credit card number. Unlikely for this demographic because they tend to purchase very little online. So we have to go real world.

The latest scam is to plaster windshields in parking lots with flyers for some fake product and to stick a fake parking ticket under the fake flyer. The vic can see that everyone got a flyer, but he thinks he’s the only one who got a ticket. The tickets look very official and claim that “we have photo evidence of the infraction.” The scammers probably even know what types of cars luddites are most likely to drive and target those especially. (Probably Buicks, Oldsmobiles, and Caddies would be my guess.) Even noobs will be compelled to go online to see this alleged photo of themselves making an illegal left turn (or whatever it is), because they can’t remember doing the least little thing wrong.

Wham, evil website loads some kind of worm or keylogger on to their (probably unpatched Windows 95) computer and they’re zombies.

Please spread the warning by word of mouth to your luddite friends and relatives because they won’t see it here.

15 comments to New offline phish technique targets noobs & luddites

  • Interesting technique. But why would they bother to go through ALL that for just 1 victim?

    Perhaps online attempts will have lower success rates, but much higher return (in terms of vics) when you multiply by 100’s or 1000’s.

    You’ll be surprised how many “noobs” surf the Internet daily.

  • admin

    A zombie computer forever is worth a lot to spammers. There are costs associated with the telephone scam too. They target people 1 by 1. Parking lot phishers don’t just target 1, they plaster the entire parking lot–the fake flyer is camoflauge. If they can get a keylogger installed on a vic’s box they can get his bank password the one time in three months he does go online to check his balance. Even a reverse password will not protect you if you have a keylogger. Yes, some noobs do surf the internet a lot. Lack of education + increased time online leads to increased vulnerability.

  • Wow, I bet that could be scarily effective. I know my city already allows you to pay parking tickets online, so going online to pay a parking ticket probably wouldn’t seem foreign to most people.

    I am surprised that this type of phishing isn’t more common, but I suppose it is only a matter of time…

  • It wouldn’t be effective at all on savvy users. Have your noob/luddite friends read my phish education post: it won’t make them 100% impervious but it will cut their risk of being phished by a huge margin. Don’t tell them to go online to read it because they won’t. Don’t email them the link either. Print it out for them and physically hand them the hard copy! That’s coming from someone who is generally against paper, but if paper is the only way to reach these people, so be it.

  • Thanks for sharing such an important techniques with us.Phishing is actually when you make a fake website that looks like the real website, but when the person enters their login info the phishing site records it and e-mails it to you. It can then leave the victim with a broken link (which could draw suspision) or it redirects them to the login screen of the actual website.

  • Phish term is pretty general–you have described a common phish scenario but not the only one. Phish is any website that gets user to come to it under false pretenses. It can request and record credential, email to a hacker or send via SMS or put in database for hacker to get later. It can just download & install malware without asking any credential at all. It can either redirect to legit site or it can continue with the deception or it can just break after it gets what it wants.

  • I actually know someone who I think has been a victim of this scheme. It’s quite clever, which is why you must be vigilant online and offline.


  • this is a very interesting scam that people are pulling off. glad for the update.

  • Seem to be an old scam that still works for some.Will put this up in my blog. Thanks

  • Thanks yet another interesting post. Scam can always be pulled off but can be prevented as well.

  • I got an email today from someone wanting me to help her transfer funds to a charity and she’d give me 40% of 10 million dollars (she made sure I knew it was “US Dollars”). I love the way they start off with “I am Mrs. XYZ, the wife of the late Mr. XYZ who was a successful business man until he died…”

    I’m amazed that people even fall for those. But the one you mention is new to me. I’ll help spread the word. Thanks.

  • admin

    Christian, the Nigerian scammer usually poses as a woman because he thinks we’ll be more sympathetic to a woman. Also there always seems to be someone who died or is in prison in the text of their sad tales. People have actually *GONE* to Nigeria, and usually they get the crap beat out of them for their trouble. I love the website where they expose the Nigerian scammers.

  • Scammers have been growing ever more creative, as evidenced by this story. Just a few weeks ago they were preying on the millions of people searching for info on the swine flu. The bottom line is that new computer users need to make a sincere effort in educating themselves about online security.

  • You can take this even one step further and ticket actual infractions! Walk downtown and you see a bunch of cars parked at expired meters. The meter maid might get them or not… but you could phish all of them.

    Just don’t get caught cause it’s like a felony right?

  • admin

    Efusjon, yes I think your batting average would be higher if you’d take the trouble to target actual infractions. You could just stick your phishy stuff under the actual tickets or not, as you say. Then people usually know they did something wrong and the phish could offer them a way to get out of it! However locating actual infractions would require a lot more effort from the phisher; usually it’s easier for them to just follow a blanket flyer poster or create their own and blanket a parking lot.

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.