Fake Miles & More Emails Lead to Zbot Drive-By Download

Security researchers warn about fake emails purporting to come from the Miles & More frequent flyer programme and leading users to a Zbot drive-by download website.

The rogue emails bear a subject of "ITINENERARY RECEIPT" and have their header spoofed to appears as originating from a memberservices@miles-and-more.com address.

The contained message makes use of an old social engineering trick to trigger the recipients' attention by suggesting their credit cards were charged without their knowledge.

"Thanks for the purchase! Booking number: LVSN50. Your credit card has been charged for $493.67. Please print PASSENGER ITINERARY RECEIPT by logging into your Miles account by clicking the link below," the emails read.

According to researchers from BitDefender who analyzed the attack, the link leads to a page on a religious website that was most likely compromised.

The page contains hidden iframes loading the Neosploit exploit pack from a third-party server. The toolkit performs several checks to determine the version of popular applications installed on the visitor's computer and serves the appropriate exploit.

If successful, the exploit will silently download and execute a generic trojan downloader which will then install a variant of the notorious Zbot information stealing trojan, also known as ZeuS.

Zbot is commonly used by fradusters to steal online banking credentials, as well as other sensitive financial information, from both consumers and companies.

Miles & More is a popular frequent flyer programme originally launched by the largest airline company in Europe, Lufthansa, but which now sees the participation of companies like Adria Airways, Air Dolomiti, Austrian Airlines, Brussels Airlines, Croatia Airlines, LOT Polish Airlines, Luxair and Swiss International Air Lines.

In order to protect themselves from drive-by download attacks, users need to keep their software applications and operating system up to date. Specialized software like the Secunia Personal Software Inspector (PSI) can help ease that process.

Firefox users can install the NoScript extension which, by default, blocks all third-party JavaScript on websites, therefore rendering these attacks ineffective. It can also significantly increase browsing performance, but needs a little getting used to.