Korean originating fraud targets Westminster Council and PayByPhone with Malicious attack

News from Omniquad | November 9, 2012

Parking Receipt scam email delivering Malware.

The email claims to be a notification about an unpaid ticket for parking at St Barnabas Street in the City of Westminster. The email is sent from paybyphone.co.uk which is a contractor handling parking fines on behalf of Westminster Council.

The subject fields for all emails are the same : “Pay by Phone Parking Receipt”. The emails are an attempt to get recipients to open the attached ZIP file called Pay_by_Phone_Parking_Receipt_#######.zip, which hides a piece of malware inside the ZIP file called ‘Pay_by_Phone_Parking_Receipt.pdf.exe‘ and detected by Omniquad’s email filtering solution Mailwall Remote as Win.Trojan.Agent-14031.

The cyber-criminals responsible for the attack are probably relying on the fact that although the recipients haven’t been to St. Barnabas Street in Westminster, they might rush to open the attachment after seeing that they have to pay 33.30 (the currency is not specified) for one hour of parking. They will want to investigate, and possibly be keen to prove that a mistake has been made and they have not been there.

Westminster Parking Fine email

Westminster Parking Fine email

A pop up message on the City of Westminster website’s parking section acknowledges the scam email saying:

“Please be advised we are aware of a spam email that appears to have been issued by Pay by Phone with a parking receipt for a parking session for a one hour on 5th November 2011 in Westminster for £33.30. Our advice would be to delete the email and run your anti-virus software. We have not taken a payment. However if you have concerns please contact your bank or card provider.”

Accroding to the BBC Website:

“The council said it had received complaints from 800 people saying they had received fraudulent emails. However, it could not provide an estimate for the number of emails that had been sent out. ”


“Westminster Council’s service development manager, Kieran Fitsall, said: “We received a very high volume of calls in a very short amount of time concerning a spam email that was sent by an unauthorised third party pretending to be our contractor PayByPhone.

PayByPhone are investigating the matter urgently, but the council’s advice is to delete the email and run your anti-virus software.”

Omniquad analysts have investigated the origin of these emails, the majority originating from an IP address range belonging to a telecommunications company in Korea.

The emails look legitimate, from a legitimate source, and judging by the amount of people who have rang the council, many people may now find that their computer has been infected by a Trojan Horse.

It is important to update your anti virus signature and run a full virus sweep of your computer, if you have clicked on the zip file in the email.