Cyber-criminals are spamming out a new malicious e-mail campaign this week; the e-mails appear to be airline tickets.
In an attack similar to the contract malware seen before, the dangerous messages have a ZIP file attached to them (in this case named print-ticket.zip), which if opened will infect Windows users with a Trojan horse.
“The e-mails claim that the recipient has registered an account with a well-known airline and that their credit card has been debited for hundreds of dollars,” explains Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.
As well as US Airways, malicious e-mails have also been seen pretending to come from the likes of Virgin America, Sun Country Airlines, Delta Airlines, JetBlue Airways, Spirit Airlines, Hawaiian Airlines, AirTran Airways, Alaska Airlines, Northwest Airlines, Frontier Airlines, USA3000 Airlines, Midwest Airlines, American Airlines and Continental Airlines.
“The danger is that if you receive an e-mail claiming your credit card has been used without your permission, you may rush to open the file for more information without thinking first.
“Users should always be suspicious of unsolicited e-mail attachments, and keep their anti-virus software up-to-date,” he says. Sophos detects the malware in this latest campaign as Troj/Invo-Zip and Mal/EncPk-GH.
Thanks for nothing
The American Thanksgiving celebrations have also been exploited for a recently detected spam campaign.
“We see spam about losing weight all year round, but there is usually a surge in its popularity after a major holiday like Christmas or, in this case, Thanksgiving. It wouldn't be a surprise if we see the same thing in January 2009,” says Myroff.
There have also been some minor variations to the contract malware noted earlier this week, which appear to be contracts from the likes of Google, Apple, Procter & Gamble, and other well-known firms.
The malicious messages that are being spammed out pretend to be changes to a contract, some related to business activities with well-known firms like Johnson & Johnson, Starbucks or Google, and others pretend to be connected with a retirement plan.
The dangerous files attached to these e-mails in the samples that have been seen are called contract.zip or New_Contract.zip. Sophos intercepts them as Troj/Invo-Zip.
Some of the subject lines the hackers use in this malware campaign include the following:
Southwest Airlines Contract of settlements
Procter & Gamble Contract of order fulfillment
Toyota Permit for retirement
General Electric Lease contract
Berkshire Hathaway Loan Contract
Apple Contract of retirement
FedEx Contract direct marketing
Johnson & Johnson Contract e-fulfillment
Google Lease contract
Starbucks Lending Contract
“Even if you weren't involved in any business dealings with any of these companies, you might still be curious enough to open the attachment to see what it contains. It is that curiosity which the cyber-criminals are depending on in order to infect users' computers, and potentially steal information, resources and money. These messages should simply be deleted if you receive them,” Myroff says.
Through the backdoor
This week's line-up of low to medium prevalence threats include the Troj/Ezio-G Trojan, which includes functionality to access the Internet and communicate with a remote server via HTTP.
The Troj/Ezio-H Trojan, also affecting Windows users, runs continuously in the background, providing a backdoor server, which allows a remote intruder to gain access and control over the computer via IRC channels. It installs itself in the registry.
Troj/Tometa-L, Troj/Drop-BN AND Troj/DwnLdr-HLM have also been noted.
Share
Editorial contacts