E-ticket scam crash lands victims into a load of malware

In a reprise of a summer tactic, hackers are trying to trick people into infecting their PCs with malware by e-mailing them spurious airline-ticket invoices and boarding passes, a security company said today.

The bogus e-mail, claiming to be from Continental Airlines Inc., thanks the recipient for using a new “Buy flight ticket Online” service.

It also provides a log-in username and password and says the recipient’s credit card has been charged more than $900, according to Trend Micro Inc.’s research.

The message says the attached .zip file includes an invoice and “flight ticket.” In fact, noted Trend Micro, the archive file contains an executable file “e-ticket.doc.exe,” which is actually a Windows worm that downloads and installs other attack code to the PC.

“It’s the old double-extension trick to hopefully fool the user to double-click the attachment,” said Joey Costoya, a Trend Micro researcher, in an entry to the company’s security blog.

“The phrase ‘Your credit card has been charged …’ will just add more worry for the user, convincing him more to examine [and] double-click the ‘flight details,” Costoya added.

An almost-identical attack hit consumers last July when hackers sent spam that masqueraded as mail from Delta Air Lines Inc. and Northwest Airlines Corp.

At the time, affected airlines warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages.

For instance, a Northwest spokesperson cautioned customers to be aware e-mails were not coming from the airline. “NWA itineraries are specific and contain information that a customer will recognize,” he said. “If the format does not look familiar to you, and you have not recently purchased a ticket, do not open the attachment. Delete the e-mail right away.”

The modus operandi in the summer attacks was similar to the current e-ticket spam scam.

The July e-mails, purporting to be from an airline, thanked the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provided a log-in username and password, and said the person’s credit card had been charged an amount – usually in the $400 range.

The e-mail included an attachment claiming to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment was a Trojan horse that stole information, including keystrokes, from the infected Windows PC and transmitted that data to a server hosted in Russia.   

There are a few significant differences, however, between the July scam and the current one.

The current campaign has dramatically bumped up the amount supposedly charged to recipients’ credit cards. In July, the figures were often in the $400 range.

Airline ticket prices jumped this summer as fuel costs climbed, a fact Continental recognized when it posted its third-quarter earnings last Friday. The airline, which reported a net loss of $236 million for the quarter, blamed both high fuel prices and Hurricane Ike for its poor performance.

According to Continental, its jet fuel averaged $3.49 per gallon during the quarter, up from $2.16, a 62 per cent increase. Fuel prices peaked at $4.21 per gallon during the period, Continental said.

The malware used in July also differed from the attack code spotted by Trend Micro. Three months ago, hackers tried to plant an identity-stealing Trojan horse on users’ Windows PCs.

The Trojan horse first gained notoriety almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.

McAfee had pegged the malware as “Spy-Agent.bw,” but other security firms gave it different names. For example, Symantec Corp. labeled the same Trojan horse as “Infostealer.Monstres.”

The personal information filched from Monster.com included names, e-mail addresses, home address, phone numbers and resume identification numbers.

Security researchers traced the data to a remote server used by the attackers to store the stolen information. Infostealer.Monstres ripped off Monster.com by using legitimate log-ins, likely stolen from recruiters and human resource personnel who had access to the “Monster for employers” areas of the site.

Once inside, the Trojan horse ran automated searches for resumes of candidates located in certain countries or working in certain fields. The results were then uploaded to the attackers’ remote server.

Share on LinkedIn Share with Google+