Airline E-ticket Scam Touches Down

By Matthew Hines  |  Posted 2008-09-19 Print this article Print

Researchers are warning of an emerging malware campaign that advertises itself as airline e-ticket information to lure users into infecting their machines with a set of Trojan attacks.

First identified by anti-virus specialists BitDefender, the messages contain a .ZIP attachment that is positioned as e-ticket information, but that instead delivers the malware when downloaded.

Many of the first waves of spam messages carrying the attack use the subject line, "Buy Airplane Ticket Online," researchers said. The messages also use the names of many national and regional air carriers operating in North America, according to the security company's related advisory.

BitDefender experts speculated that the attack was created by the same malware gangs that designed a campaign using JetBlue's identity and logo that was distributed widely in July.

One might assume that the attacks have been themed as such to attempt to draw in business travelers, who often receive such information via e-mail and may be more likely to fall for the ruse and implant the nefarious programs inside their companies' networks.

Among the malware programs being used in the attacks are variants of the well-traveled Trojan.Spy.Zbot.KJ and Trojan.Spy.Wsnpoem.HA families. BitDefender reported that the Trojan.Injector.CH family of threats has also been detected in the airline-themed attacks. The same viruses were also recently employed in a set of attacks that were disguised as shipping reports from major overnight delivery companies.

"The viruses in this campaign have rootkit components that help them to install and hide themselves on the compromised machine either in the Windows or Program Files directory," BitDefender researchers said. "They inject code in several processes and add exceptions to the Microsoft Window Firewall, providing backdoor and server capabilities."

The company said that the malware programs all transmit sensitive information and listen on several ports for possible commands from their remote controllers. The Trojans also attempt to connect and download files from servers with domain names that appear to be registered in the Russian Federation, according to the report.

"Users should be aware that without the appropriate security solution the integrity of their systems is at an extremely high risk," Sorin Dudea, head of the Antimalware Research Lab at BitDefender, said in a statement. "The Trojans this new malware distribution campaign delivers and the high rate of infections prove once again not just the [involved] cybercriminals' ingenuity, but also the lack of interest users show in terms of [maintaining appropriate] systems' defense and sensitive data protection."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel