Fake Delta Air Lines E-mails Spread Malware

Security researchers from anti-virus vendor Trend Micro warn of a new malware distribution campaign targeting Delta Air Lines passengers. A dangerous computer Trojan is served through spam e-mails claiming to contain an electronic ticket attached.

Delta Air Lines merged with Northwest Airlines in October 2008 and they currently represent the largest commercial air carrier in the world. Therefore it is not unusual that cybercrooks decided to target a company with thousands of daily customers.

The fake e-mails have subjects of the form "Confirmation of ticket purchase ########," where # represents a random capital letter or digit. "Thank you for the purchase! […] You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic ticket," their content reads.

The attached file is an archive, called Delta_eTicket.zip, which contains an executable of the same type. This .exe file is actually an installer for a computer Trojan identified by Trend Micro as TROJ_DELF.PSZ.

In order to entice users to open the file, they claim that by printing it and taking it to the airport, "It will help you pass control and registration procedures faster." Additionally, the e-mail makes reference to top-quality services that will be offered to passengers on board.

"The Trojan automatically runs at every system startup by modifying a registry entry. It has rootkit routines which enable the binary to hide its processes, files, or registry entries. The file also connects to a website to download files. This exposes an infected system to more threats," explains Jake Soriano, who is responsible for technical communications at Trend.

These e-mails seem to be the work of a gang specializing in such airline spam. At the beginning of this year security experts from another AV company, Sophos, reported a similar campaign targeting Northwest Airlines. The same trick of fake invoices and e-tickets being attached to the e-mails was used.

Malware analysts from Bitdefender also issued a warning back in September 2008, advising users of eticket scam e-mails impersonating Midwest Airlines and Allegiant Air. At the time, the researchers linked them to yet another attack against JetBlue Airways customers, that occurred in July the same year.

Experts recommend having anti-spam and anti-virus solutions installed and up to date. Furthermore, these e-mails can be relatively easy to identify due to the poor spelling that characterizes them. If you did not make any airline ticket purchase online, it is one more reason to steer clear of such messages and not get curious.