The Sunday after Thanksgiving is always the most heavily traveled day of the year so… it makes sense that cybercriminals who are attempting to spread malware would want to take advantage of this. We have been seeing a huge array of malicious emails pretending to be airline ticket confirmations. In fact, in the past week we have seen millions of malicious emails posing as airline ticket confirmations. They have used nearly every major US airline as a method to garner attention from the recipient.
The most recent version claims to be an Eticket from Delta Airlines. The messages appear from Delta and include [in the body of the message] information about the ticket that you have supposedly purchased. These messages contain an attached .zip file that holds an executable file. Once clicked the executable installs a Trojan to serve as a backdoor to the victims PC. In addition, this variant carries with it the install of “Rogue AV”. Once installed Rogue AV shuts down all anti-virus and tampers with firewall settings on the host machine and later starts sending pop-up warnings to the user that their machine is infected. These pop-up’s pose as real alerts from an ambiguously named security program. The user is then led to a site where they can pay for the latest update to the security software that is needed to clean their PC. After doing this the pop-up will go away, only to return so many days later. Of course the victim’s PC is still infected and they are still a target for other types of malicious attacks. If this all were not bad enough… this malware also enslaves your PC to a botnet and begins sending thousands of spam messages to repeat the entire process.
Here is a look at one of these messages and the subsequent pop-up: