Another Airline Spam Campaign: Major U.S. Air Carriers Under Attack...

Summer of 2008 was marked by an increase of spams related to airlines and e-ticketing services. Earlier we have already warned you about fake Hawaiian airline tickets. Later on, similar attacks were used with the names of Delta and Northwest airlines. However, it seems that the end of summer does not mean the end of airline spam attacks. The new round of attacks targets the major U.S. air carriers and other operators including cardinal points within their names. Additionally, counterfeit messages have been sent allegedly on behalf of operators with a focus on charter, regional or domestic-only services. Most probably, this attack capitalizes on the end of summer, the return to school and the desire to extend the nice weather or plan a late-year vacation.

Researchers at the security company BitDefender note that emails belonging to the new spam campaign claim to deliver invoices and e-tickets acquired through the "Buy Airplane Ticket Online" service. The e-mails have subjects such as "Your Online Flight Ticket N #####" (here # is a random digit) and they claim to have been sent by major US airline companies and carriers. The body of the e-mails informs the users that they've used a "Buy airplane ticket Online" service on the website of an airline company. Below you can see a screenshot of a sample email (click on the image to see the full view).

For emails to look even more reliable, spammers provide a login (the recipient's e-mail address) and password. Instructions on how to use the supposed e-ticket that is attached in the.zip file are also included. Finally, they even provide a marketing reminder that a discount is available when tickets are bought through this service.

However, no matter how serious and reliable these emails may look, their .zip attachment will only download several Trojan installers. The specific malware spread by these emails include Trojan.Spy.Zbot.KJ, Trojan.Spy.Wsnpoem.HA and Trojan.Injector.CH. BitDefender notes that these Trojans have rootkit components that help them to install and hide themselves on the infected computers either in the Windows or Program Files directory. Upon installation, the applications run hidden in the background and they are uploading gathered sensitive information to remote servers as well as opening exceptions in the Windows firewall and listening to specific ports for commands from the attackers. The Trojans also attempt to connect and download files from servers with domain names apparently registered in the Russian Federation.

"Users should be aware that without the appropriate security solution the integrity of their systems is at an extremely high risk," said Sorin Dudea, Head of BitDefender® Antimalware Research. "The Trojans this new malware distribution campaign delivers and the high rate of infections prove once again not just the cybercriminals ingenuity, but also the lack of interest the users show in terms of systems' defense and sensitive data protection."