A new version of the Zbot Trojan is distributed in this spam campaign
Spam campaigns that leverage the name of some popular airline have been around for quite some time now. In order to bring something new to these operations, cybercriminals don’t only change the pieces of malware they attach to the fake notifications, but also the name of the company.MX Lab experts have identified a series of malicious emails that purport to come from Air Canada, informing recipients that their orders have been processed.
Entitled “Your Order#74267102 – PROCESSED,” the emails read:
Your order has been successfully processed.
FLIGHT NUMBER TB7392CA
DATE & TIME / DECEMBER 6, 2012, 10:30 AM
DEPARTING / Toronto
TOTAL PRICE / 375.12 CAD
Please download and print your ticket from the following URL : http://www.aircanada.com/aco/manageMyBookings.do?tid=TB7392CA&ticket_number=74267102
For more information regarding your order, contact us by visiting , visit : http://www.aircanada.com/en/customercare/index.html?orderid=74267102&ssid=1524
Although they appear to point to Air Canada’s official site, the links take users to a malicious website where they’re served an archive file that hides a version of the Zbot Trojan.
Unfortunately, at the time of writing, only 4 antivirus solutions were capable of detecting the new threat. That’s why users are advised to immediately delete such emails.