Beware airplane ticket N648365 – it contains malware

The bad guys are up to their old tricks again, spamming out malicious attachments posing as airline tickets.

 

The latest attack, which we’re seeing in many of our spamtraps around the world, poses as an email from Delta Air Lines.

 

Here’s a typical message:

Subject: Online order for airplane ticket N648365
Message body:
Good afternoon,
Thank you for using our new service "Buy airplane ticket Online" on our website.
Your account has been created:

Your login: [removed]
Your password: G6vFjbdp

Your credit card has been charged for $998.63.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Delta Air Lines

Attached file: eTicket.zip

 

Of course, even if you haven’t booked an airline ticket you may still very well open the attachment – especially if you believe your credit card may have been charged for such a large amount of money!

 

Sophos detects the malicious file attached to the emails as Mal/BredoZp-B and Mal/EncPk-MP. Users of other anti-virus products are advised to ensure that they are up-to-date and capable of detecting this email-borne threat.

 

By Graham Cluley, Sophos

 

 

Related Blogs

No, you’ve not received a postcard from a family member

Over the weekend there has been a new wave of attacks spammed out, spreading a version of the Bredo Trojan horse via malicious emails.

 

The emails claim to be an ecard from a family member, but opening the attachment can infect your computer with the Troj/Bredo-BS Trojan horse.

 

A typical email has the following characteristics:

Subject: You've received a postcard
Attached file: postcard.zip
Message body:
Good day.

Your family member has sent you an ecard
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.

 

This is clearly an old tactic to trick people into infecting their computers, but the reason why it’s so familiar is that it really does work.

 

There’s clearly a danger that some people may return to their work email on Monday morning and, with still sleepy eyes after the wekeend, open the attachment before their brain has been woken up by a strong sip of coffee.

 

Sophos detects the ZIP file as Troj/BredoZp-AC, and its contents as Troj/Bredo-BS.

 

Somehow the BS nomenclature seems particularly appropriate for this clearly bogus ecard from a family member.

 

Make sure your anti-virus software is up-to-date, and able to protect against these latest threats, which are still being distributed via spam right now, as you can see in the above snapshot of malware being detected in our traps.

 

Don’t forget you should always be cautious of opening unsolicited email attachments – criminal hackers will often use this technique to try to trick you into running malicious code on your computer.

 

By Graham Cluley, Sophos

 

 

Facebook Password Reset Confirmation emails carry malware

Today I received an email about  Facebook Password Reset Confirmation email with subject :

 

"The Facebook Team" <service@facebook.com>

 

 

and it tells me my facebook password changed for safety reason then they wants me to download the attached document to see the new password and the attachment (Facebook_document_145.zip) it content a virus called :

 

• Mal/FakeAV-BW [Sophos]
• Suspect-1B!E4800A5BF6F6 [McAfee]
• Not Detected  [Kaspersky Lab]
• Not Detected  [Microsoft]

its an EXE file with DOC icon .

 

Be careful with these kind of emails and don’t run any attachments that you don’t trust.

 

To Download the removal tool : (ClickHere)

 

Malware attack spammed out disguised as email settings file

Sophos is intercepting a large number of malicious emails that have been spammed out around the world, posing as a new settings files for internet users’ email systems. However, attached to the emails is a Trojan horse.

 

Each email is carefully disguised in an attempt to lure the recipient into believing they are genuine. For instance, they use the recipient’s email address in the subject line and pretend to come from the support team at the recipient’s email domain:

A typical malicious email reads as follows (I’m assuming the user’s email address is username@example.com below):

Subject: A new settings file for the username@example.com has just be released

Attached file: settings.zip

Message body:
Dear use of the example.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox username@example.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, example.com Technical Support.

Although the hackers behind this attack have clearly put a little thought into how they might infect as many people as possible, they have made some grammatical mistakes which may tip off potential victims that the emails are not genuine.

For instance, the subject line of

A new settings file for the username@example.com has just be released

is very clumsy.

 

Attached to each email is a file called settings.zip, which contains a copy of the Troj/Bredo-BE Trojan horse.

 

Stay on your guard against attacks arriving via email. Although we see many web-based attacks these days, the rumours of the death of email-based malware are greatly exaggerated.

 

By Graham Cluley, Sophos

 

 

Facebook Password Reset Confirmation E-mails Carry Malware

Are you one of the more than 300 million active users of Facebook?

If you are, then be very careful if you receive an unsolicited email claiming to come from

"The Facebook Team" <service@facebook.com>

which tells you that they have changed your password:

The emails, which all have the subject line “Facebook password resent confirmation email.”, claim that the recipient’s new password is contained in the attached file (named Facebook_Password_4cf91.zip).

The reality, of course, is that these emails are not really from Facebook and have been spammed out widely across the internet. The “from” address has been forged, and the attached file is in fact a piece of malware. (Sophos detects the malware as Troj/BredoZp-M or Mal/Bredo-A)

Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software.

By Graham Cluley, Sophos

Beware fake Microsoft alerts regarding Conficker worm

We are seeing a large number of malicious emails in our spam traps, pretending to contain advice regarding the Conficker worm.

 

Here is a typical message:

Subject: Conflicker.B Infection Alert
Attached file: install.zip
Message body:

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Sophos detects the attached files proactively as Mal/ZipMal-C and Mal/EncPk-KP.

 

It goes without saying that opening the attached file is a very bad idea.

 

By the way, note that the hackers didn’t spend much time in their quality control department. The subject line of the spammed out emails refers to “Conflicker” rather than Conficker.

 

by Graham Cluley, Sophos

 

Malicious bogus DHL and FedEx emails bombard inboxes

We are currently seeing a large number of malicious emails purporting to be sent from FedEx or DHL, but containing attachments designed to infect your computer.

 

It’s a familiar story. In the case of the malware attached to the emails coming from DHL, the communication claims that there has been an error in the delivery address, and so you are invited to pick up the parcel “at our post office personaly” (spelling has often been the downfall for would-be hackers).

 

If the poor spelling doesn’t set your alarm bells ringing then you might be foolish enough to open the attached shipping label (we have seen examples where this can be called DHL_print_label_75ba9.zip or DHL_print_label_9731b.zip)

 

Sophos detects the attached malware as Troj/BredoZp-A or Mal/Bredo-A.

 

On the SophosLabs blog, Prashant has written about a similar campaign claiming to come from FedEx, carrying an infected invoice in the form of a file called TR768212.zip.

 

The thing which is most notable about these current spammed-out attacks, though, are their ferocity. Take a look at what our email malware traps intercepted in a less than two minute interval:

 

Dangerous emails claiming to come from courier companies are nothing new – it has become a standard method by which hackers can socially engineer you into opening a malicious attachment or clicking on a dangerous link.

 

Make sure that you and your colleagues are wise to the trick – and think before you click.

 

by Graham Cluley, Sophos

« Previous Page