Malicious attachments masquerade as airline ticket invoices

Aug 9, 2010 09:59 GMT  ·  By

The fake flight ticket lure is still being used by email malware distributors to trick users into infecting themselves, experts from CA warn. Emails employing the recurring theme, that have plagued inboxes in recent years, have began making a comeback recently as part of a Zbot campaign.

"We received spam emails disguised as a legitimate email and contain information about a certain 'Flight Ticket'. The spam mail informs the recipient about the attached invoice and airplane tickets; all the user needs to do is open and print the attached file to be able to use the ticket," Mary Grace Gabriel, a research engineer with CA's Internet Security Business Unit (CA ISBU), warns.

The emails come with a subject of "Your Flight Ticket #####" (where # is a digit) and according to their forged "From" field, appear to be originating from Midwest Airlines. It is however possible that the names of other airlines are being similarly abused.

The message contained within follows a template that has been used by Zbot airline ticket spam before.  It informs the recipient that their credit card has been charged with a certain amount for a flight ticket. They are then told that "Attached to this message is the purchase Invoice and the airplane ticket." Obviously that is not true and the attachment, in this case called Invoice_viewer.zip, contains a Zbot installer.

Zbot, also known as ZeuS is an information stealing trojan, commonly used by fraudsters to compromise the online banking accounts and credit card information of people worldwide. ZeuS is being sold on undergound forums as a crimeware toolkit, giving hackers who buy it the ability to build customized versions of the malware. Because of this there are hundreds of Zbot variants in the wild at any given time, which allows cyber criminals to stay ahead of antivirus detection.

As always, users should remain vigilant and treat all emails attachments with suspicion, regardless of where they appear to be coming from. It's also highly recommended to run an up-to-date antivirus program at all times and preferably one with advanced layers of protection, such as those that can detect generic malicious behavior.

You can follow the editor on Twitter @lconstantin