Fake American Airlines E-Ticket Trojan

[Tywais]

Today I received two e-mails claiming to be from American Airlines, see example below. The return address looked legit but looking under the hood at the source code there were some red flag routing that I chased down. It came with an attachment which I dissected and got a little more details of the 'trojan'. A little more research found the below information.

It is easy to fall for if not vigilant. So, a heads up and as usual never open an attachment that you are not 100% sure of.

Threat Outbreak Alert: Fake American Airlines Ticket E-mail Messages on December 13, 2011

Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain an American Airlines ticket. The text in the e-mail message attempts to convince the recipient to open the attachment and print the ticket. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code.

Cisco.com

One of the two e-mails I received and came with a .exe attachment:

FLIGHT NUMBER A5689N

ELECTRONIC 5807259517

DATE & TIME / DECEMBER 18, 2011, 6:28 PM

ARRIVING / NEW YORK JFK

TOTAL PRICE / 809.38 USD

Please find your ticket attached. To use your ticket you should print it.

Thank you for using our airline company services. American Airlines.

[BB1950]

Just another good reason to use Gmail!

Some file types are blocked

As a security measure to prevent potential viruses, Gmail doesn't allow you to send or receive executable files (such as files ending in .exe) that could contain damaging executable code. In addition, Gmail does not allow you to send or receive files that are corrupted.

Which file types can I not send or receive?

"ade", "adp", "bat", "chm", "cmd", "com", "cpl", "exe",

"hta", "ins", "isp", "jse", "lib", "mde", "msc", "msp",

"mst", "pif", "scr", "sct", "shb", "sys", "vb", "vbe",

"vbs", "vxd", "wsc", "wsf", "wsh"

Gmail won't accept these types of files even if they are sent in a zipped (.zip, .tar, .tgz, .taz, .z, .gz, .rar) format. If this type of message is sent to your Gmail address, it is bounced back to the sender automatically.

ref: http://support.googl...f75sfd&cbrank=3

Antivirus Scanning

Gmail automatically scans every attachment when it's delivered to you, and again each time you open a message. Attachments you send are also scanned. Checking attachments for viruses protects our users and their information, and prevents the spread of viruses.

• If a virus is found in an attachment you've received, our system will attempt to clean the file, so you can still access the information it contains. If the virus can't be removed from the file, you won't be able to download it.
• If our system is unable to scan certain files, you'll see an error reading 'Oops... the virus scanner has a problem right now.' You'll have the option to try again later or to download at your own risk. Please note that if Gmail can't scan the contents of the file, we can't guarantee that it's safe to view.
• If an attachment you're trying to send is infected with a virus, Gmail will display an error message to tell you, but it won't clean the file. To send the message without that attachment, click the link in that error message that says 'Remove attachment and send.'
• If Gmail detects that you're trying to send an infected attachment, we suggest running your anti-virus software in case your hard drive is infected. If you don't have anti-virus software, you might consider purchasing/installing one of the popular applications so you can protect your computer and information from viruses.

ref: http://support.googl...en&answer=25760

[NanLaew]

Bottom line, if you get an email from an airline saying there's a ticket attached and you aren't currently looking for any air tickets or even fly with alleged airline, why even bother with opening it?

My late father used to get emails from various banks claiming that he needed to take care of some urgent business regarding his account by responding. Initially he was confused at sorting out spam and malicious emails from the legit but he worked it out for himself. He only had 2 accounts with one bank so anything from any other bank he deleted at source. Sorted!

[craigt3365]

Yahoo doesn't let you send .exe files either. You have to zip them. I've heard even opening an email can start a virus also. I'm super careful as to what emails I open up and I keep image blocking on!

Edited December 14, 2011 by astral
No need to quote the entire post. Just pick out the relevant points, please - Astral

[jybkk]

I've heard even opening an email can start a virus also. I'm super careful as to what emails I open up and I keep image blocking on!

This can happen on desktop clients (Outlook, Thunderbird, ...) that are not up to date. Otherwise you have to open the attached file (i.e. launch it and click ok to all the security warning that now comes with any recent OS) to be at risk.

As far as I know, it can't happen in web clients like Gmail (unless, once more, you click on a link in the email that bring you to some shady sites that might try to exploit security holes in your browser).