14 DAY TRIAL // Security researchers from anti-virus vendor Sophos warn that new e-mails claiming to contain invoices for airline tickets acquired online have been in circulation for the past week. Initially targeting Northwest Airlines, the gang behind the campaign has now switched to impersonating United Airlines.
E-mails originating from a spoofed [email protected] address have started hitting user inboxes since the middle of the last week. Having an “E-ticket #<digits>” subject, the messages masqueraded as notifications sent by the online ticket purchasing system belonging to Northwest Airlines. They informed users of an alleged charge on their credit cards, and provided incorrect login information to the system, in the form of e-mail and random password.
“Your account has been created […]. Your credit card has been charged for $449.70 […],” an e-mail signed by one, probably fictional, Duane Daugherty, reads. The most important part, however, is the claim that “Attached to this message is the purchase Invoice and the Northwest Airlines ticket,” which has the purpose of tempting the user into opening the attached file.
“To use your ticket, simply print it on a color printed [sic], and you are set to take off for the journey!,” some included instructions go on to explain. The problem is that Your_ETicket.zip file, which is shipped with the e-mails, actually contains a computer Trojan, identified by Sophos as Troj/Agent-IPS.
Graham Cluley, senior technology consultant at Sophos, has announced that this week the scam has mutated, and the malware spreaders have switched to using United Airlines forged e-mails. The message is mainly the same, except for the spoofed address, which is now [email protected]. In addition, the new fake e-mails contain some legit corporate information about United Airlines attached at the bottom, probably to increase their credibility. The messages are allegedly signed by someone named Jillian Biggs, working for the said company.
“Opening the ZIP file is a very bad idea,” Mr. Cluley warns. “Although it’s understandable that you might panic into thinking that your credit card has been debited without your permission, for a flight you don’t want or need, you should be cynical enough to smell this for what it is – a dirty rotten scam designed to infect your personal computer,” he concludes.
Judging by the e-mail messages, the gang behind this campaign is the same one that launched similar attacks impersonating Midwest Airlines and Allegiant Air, back in September 2008. Researchers from BitDefender attributed then the JetBlue Airways scam, circulating during July 2008, to the same cyber-criminals.