Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 28th, 2008

Airlines Warn Customers Of Ticket Invoices Spam With Infected Attachments

Several airlines have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages. Airlines that issued warnings include Delta Air Lines Inc., Northwest Airlines Corp., Sun Country Airlines and Midwest Airlines Inc. Sun Country also reported these e-mails to Yahoo, Hotmail and the United States Computer Emergency Readiness Team.

A researcher at McAfee Inc. confirmed the campaign in a post to the company’s blog. Messages may appear as follows (updated spam campaigns may appear different):

From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
Subject: Online order for flight ticket [number]

Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [characters]
Your password: [characters]

Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,

Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon).

The e-mails, which purport to be from an airline, thank the recipient for using a new “Buy flight ticket Online” service on the airline’s site, provide a log-in username and password, and say the person’s credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. McAfee has labled the malware as “,” Symantec Corp. has labeled the same Trojan horse as “Infostealer.Monstres.”

This trojan first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular recruiting Web site.

Share this item with others:

More on CyberInsecure:
  • Griffin Electric Stolen Laptop Exposes Employee Data
  • UEFA Lottery Scam Targets UK Football Fans
  • Hacked Blog Spam Pages Promoted In Google News
  • Football Might Get You Infected
  • Botnet Used To Solve CAPTCHA And Snatch Up Premium Tickets

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Airlines Warn Customers Of Ticket Invoices Spam With Infected Attachments

    14 Responses to “Airlines Warn Customers Of Ticket Invoices Spam With Infected Attachments”

    1. Frans Plaizier Says:
      August 10th, 2008 at 1:20 pm

      Dear sirs,

      Thank you very much for putting this warning on the internet. Thanks to your warning and explanation I was able to detect and identify a very similar e-mail in my mailbox. This one was sent bij “Midwest Airlines” : Jackie Flanagan Midwest Airlines [[email protected]] supposedly. The search words in Google I used were: Buy airline tickest online, Midwest Airlines; that brought me to your site.
      Thanks again and I’ll spread the word. Keep up the good work!
      Frans, from Holland.

    2. CyberInsecure Says:
      August 10th, 2008 at 7:05 pm

      Good to hear, this is the reason this website is online.

    3. John Nelson Says:
      August 14th, 2008 at 9:18 am

      How do I remove the virus? HELP!

    4. CyberInsecure Says:
      August 14th, 2008 at 9:40 am

      Most anti-virus products, even free ones like AVG and avira, can clean your PC. Boot from a rescue CD with an anti-virus and scan your hard drive or connect your hard drive via USB using a cable to another clean PC with anti-virus and scan it there.

      Often cleaning infections might be very hard, since they appear again. Consider taking it to a lab or reinstalling your OS.

    5. Tony Gregory Says:
      September 5th, 2008 at 7:20 am

      Unfortunately I opened the attachment thinking it had been sent in error. Norton closed the computer immediately. I re-opened & performed various scans. All was clear, apart from a message purporting to be from ‘windows’ saying my comp. was infected.
      The message comes-up every 10 seconds or so. Anyone know how I can erase permanently?

    6. CyberInsecure Says:
      September 5th, 2008 at 10:02 am

      1. Nothing is clear, your PC is infected. Norton is not the most successful security product out there.

      2. You can’t remove the malware manually, it will reappear again and again. The best solution would be booting from a rescue CD with an anti-virus and scanning entire system drive. Before you do that, try using AVG anti-virus, it might help.

    7. you can delete it with Ad-Aware Lavasoft!

    8. How doI remove it when it won’t even boot windows now? It was telling me over and over again that I had a virus (Avast virus scan) then when I rebooted, it freezes on the page that you would normally type in a password to log on to windows…
      PLEASE HELP! This is a business computer and I’m stuck!!

    9. Kelli:
      Boot into safe mode and try to clean your windows from there. If not, try booting from a rescue CD with anti-virus.

    10. hi,
      well i fell for it, how do i remove it now? mine was for the amount of 900 and something dollars!
      please can someone help?
      thank you

    11. Doris Thurber Says:
      January 16th, 2009 at 11:09 am

      I just got the mailing purported to be from Northwest Airlines saying my e-ticket had been charged to my credit card. I suspected it was phishing, so I Googled Northwest airlines e-ticket phishing and this site was one of the hits. Since most of the posts are four months old, I wonder what we can be doing right now to shut these crooks down.

    12. CyberInsecure Says:
      January 16th, 2009 at 12:03 pm

      Doris Thurber: Those spam and phishing campaigns appear from time to time. What can be done is being done, some researchers are fighting the spam botnets, others are reporting it to make users aware.

      What users can do is update their Windows and software and never click on links they get in email without checking first who sent it and why.

    13. Great job I was a bit worried about the look of it so thought I’d run a check through Google to see if was an obvious spam and your page came up top search!

      I suppose we all have to question anything that looks odd, eh?


    14. Seems that this trojan horse has been reactivated again, we just received today the faking ticket.
      Thanks a lot for your service

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.