Campaign involving fake airline e-ticket emails with malware detected

In a post on the Security Labs blog, Websense shared that the Websense Threat Seeker Network has stumbled upon yet another instance of users receiving fake airline e-ticket emails containing malicious attachments. Folks at Websense detected a campaign being made to depict as coming from KLM, the Dutch flagship airline.


Elaborating further on the nature of the malware campaign, the blog post stated that every malicious message came with the subject line ''KLM e-Ticket''. Findings reveal that it appears to use a legitimate KLM e-ticket layout, but it does not display the itinerary information. What it instead does is prod users to view the itinerary in a malware-laden attachment, thereby risking compromising their machines. 


In a shocking revelation, Websense shares that they intercepted over 850,000 messages from this campaign on Monday, September 17 alone.


A sample e-ticket with malicious intent



Importantly, the post notes that while this scam is not aimed at KLM customers, specifically, and those with recent ticket purchases as well as recipients fearing an unauthorised credit card purchase could be potential victims. 


Websense researchers, as per this post, scanned through a sample set of messages to find that each 'e-ticket' came with unique values in the passenger and receipt sections, which their researchers presume is an attempt to slip away from sight, along with a malicious zipped attachment named 'KLM-e-Ticket_<NumericalValue>.zip'.


Going further, it has been found that the attachments contained two different malicious binaries, both of which were extracted in the campaign. The post points that both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000. What comes as interesting here is that although, both of these binaries are attempting to trick users into believing that the file is a PDF file, neither uses an Adobe Reader or similar icon!


"It is worth noting that the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted filenames," adds the post.


Last month, in a blog post titled "Benefits of your BlackBerry ID in this attached malware", WebSense Security Labs elaborated on yet another one of its worrying find. Websense ThreatSeeker Network intercepted a malware campaign aimed at BlackBerry users. The campaign ran through fake e-mails that essentially state that the recipient has successfully created a BlackBerry ID. The e-mail adds that to enjoy the full benefits of the BlackBerry ID, the recipient should follow the instructions given in the attached file. Clearly, this is done to trick the user into running the malicious file.


In one of its other blog posts, WebSense Security Labs discussed the menace of the Nigerian email scam. The Nigerian email scam - also known as the 419 scam, a reference to the article of the Nigerian Criminal Code that such activities violate - is so common by now that it is identifiable on first look. Yet, they continue to dupe unsuspecting people into financial losses amounting to millions of dollars, and disrupting their lives. Examples of such scam e-mails are countless, so much so that it has retained its place on the list of top ten internet/email scams for 2012.

Published Date: Sep 25, 2012 01:32 pm | Updated Date: Sep 25, 2012 01:32 pm