Airline Spam: Fake E-tickets Bringing You Malicious Worm

It looks that airline spammers are not going to stop. They are constantly launching new spam campaigns targeting a number of different airline companies. First of all, we warned you against fake Hawaiian Airlines e-tickets. Later on, hackers shifted to customers of Delta and Northwest airlines. Finally, last month we informed our readers about the new round of attacks targeting the major U.S. air carriers and other operators, including cardinal points within their names.

This time researchers from TrendLabs have released a report about a new wave of spam messages, supposedly coming from Continental Airlines, the fourth-largest airline in the U.S., and JetBlue Airways, an American low-cost airline. Emails belonging to this spam campaign come with the subject line "Your Online Flight Ticket N 37318" (the number may vary) and thank recipients for using the new service called "Buy flight ticket Online".

Below you can see two screenshots of sample emails (one for Continental Airlines and one for JetBlue Airways).

Similarly to the previous attacks recipients are even provided account details, including a password. And all they have to do then is to print out the attached "purchase invoice and plane ticket". The attachment is called E-TICKET.ZIP and includes a file E-TICKET.DOC.EXE. Joey Costoya, Advanced Threats researcher, notes that "It's the old double-extension trick to hopefully fool the user to double-click the attachment."

One of the aspects that convince many recipients to download the attachment is the phrase "your credit card has been charged..." Even those who don't buy airline tickets online can download the attachment in order to see if they really have to pay for something that they have never ordered.

And as it may already be expected, the attachment has neither an e-ticket, nor any invoice. Trend Micro identifies the attached file as WORM_AUTORUN.CTO. According to Trend Micro, "this worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal."

In order not to infect their computers with this worm, users are highly advised not to click on the attachment. The best thing would be to delete all similar emails without even reading them. As always, everybody should keep their anti-virus software and anti-spam filters up-to-date.