Planning your fall holiday? Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble.
TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!
Here’s a screenshot:
The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment,” observed Advanced Threats Researcher Joey Costoya.
Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal.
Costoya also said, “The phrase Your credit card has been charged… will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details.’”
This seems to be a renewed campaign, as we first saw it in late August—only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more, according to this sample:
Users who receive the same messages, please don’t click on the attachment. Trend Micro has already stopped this worm’s takeoff with the Smart Protection Network.