Barracuda Labs Discovered Bogus Ticket Confirmation Emails from American Airlines

Security researchers at Barracuda labs recently came across fake e-mails confirming tickets from American Airlines which looked convincing.

The fake emails entitled "AA.com Itinerary Summary on Hold" read like this "Thank you for making your travel arrangements on AA.com; Your requested itinerary is put ON HOLD. To ensure that your reservation is not cancelled, you must purchase the reservation by clicking the 'Purchase' button on this email or use the 'View/Change Reservation' section on www.aa.com."

Spammers enhance the illusion by constructing long confusing links which contain elements that imitate the domain you would expect to see while examining a link. For example, all links in this spam point to accidentology.info which is a newly-registered temporary domain probably created just for this campaign. However, name of the web page that serves the initial redirection is:/www.aa.com.reservation/viewFareRuleDetailsAccess.do.html as highlighted by experts at Barracuda labs.

The objective of the embedded URL in the email is to draw the recipient's attention towards the section which says www.aa.com though this domain has no connection with the link. The real attacks come from a lengthy sub domain which starts with www.aaa.com.reservation that also endeavors to cover that they come nearer from a maligned domain registered just a few days ago.

The experts add that all links curtailed in the email lead to websites hosting Blackhole exploit kit (BHEK) that seems to abuse the victim's browser.

Ultimately, a version of Trojan.Zeus, a password stealer, was installed on the machine and Trojan started contacting command and control servers.

To become safe, security researchers advise Internauts that if they receive any such emails they should not click on any links and should not open any attachments or call any phone numbers listed or follow any instructions listed in the email. The researchers also suggest that they should forward a copy of the email including the header to webmaster@aa.com so that American Airlines can investigate it. Having done this task, the recipients of such emails are advised to delete the same and run anti-malware scan on their systems to remove any malware.

» SPAMfighter News - 8/5/2013