—Illustration by Alex Nabaum

E-mails promising Viagra discounts or dates with Russian models used to be the preferred way to get personal financial information from recipients. Now hackers have devised an ingenious way to unleash an identity-stealing computer virus from about the last place you’d expect an online attack: a parking lot.

Scammers place phony parking tickets on cars, which direct their owners to an “official” website that claims to have photos of the alleged violation. Once they go to the website, victims inadvertently download a nasty virus that can quickly cost them plenty.

Several drivers in Grand Forks, N.D., found tickets on cars they had parked at a shopping mall, hospital, grocery store or college campus. Some went to the designated website—and their computers were compromised.

“This very clever ploy bridges the [real] world with the virtual world, and I fear we’ll be seeing more of these types of attacks in the future,” says Lenny Zeltser, a computer security expert who uncovered the scam after a former student who lives in Grand Forks told him about a phony parking ticket.

After analyzing the virus website, Zeltser found that its potential dangers include:

•  Tricking you into buying fake antivirus software. The website instructs you to install a program to see photos of your car. The program then produces a message that announces your computer has a virus, and you’re offered worthless “repair” software for $50 or more.
•  Capturing user keystrokes to reveal your online passwords and account numbers. “If you do online banking,” Zeltser says, “this allows scammers access to your accounts, and they can remotely wire money from them.”
•  Enslaving the infected computer as a “bot” that can be used remotely to disseminate spam and gain access to other websites you visit. “You may never know your computer has become a bot, except that it might be slow or acting sluggishly,” Zeltser says.

Thus far, the parking ticket ploy has reportedly occurred only in Grand Forks, but Zeltser believes the scam will spread. Unlike other malware attacks, it doesn’t depend on you to open a corrupted e-mail sent by a stranger. Instead, it provides bait to lead you right to the virus, a gambit that he says “can be very lucrative for hackers.” How can you protect yourself?

• Avoid unfamiliar websites. “Don’t visit a strange website simply because you get an e-mail or letter telling you to,” Zeltser says. “And if you do, never download or install new programs there unless you are sure you can trust the source.”
• Be wary of dot-com cons. One giveaway on the parking ticket website: It ended in “.com.” Online addresses of most police and other official agencies end in “.gov.”
• Consider a “security suite.” These newer protection programs—from McAfee and Norton—cost about $20 more than traditional antivirus and antispyware software, which may not find such malicious programs.

To learn more about online security, visit www.staysafeonline.org or www.onguardonline.gov. Report suspicious e-mails or websites to www.ic3.gov, and identity theft attempts to www.ftccomplaintassistant.gov. 

Sid Kirchheimer is the author of Scam-Proof Your Life (AARP Books/Sterling). Send your queries about scams, deals and other consumer issues to Sid at asksid@aarp.org. If you want a personal response, please include a telephone number or e-mail address. Because of the volume of mail received, Sid regrets that he can’t answer all questions.