Home Malware American Airlines, ‘eTicket Itinerary and Receipt Confirmation’ Malware Email

American Airlines, ‘eTicket Itinerary and Receipt Confirmation’ Malware Email

by Brett M. Christensen

This email, which purports to be from American Airlines, claims to be an ‘eTicket Itinerary and Receipt Confirmation’ and claims that you can print out your flight ticket by opening an attached Microsoft Word document. 

The email includes information supposedly pertaining to the ticket purchase and features seemingly legitimate American Airlines formatting and related graphics. Links in the message open the genuine American Airlines website.

However, despite appearances, the email is not from American Airlines and the attached file does not contain flight tickets.

Instead, opening the attached file can lead to a malware infection.

The attachment is a seemingly harmless Microsoft Word (.doc) file and you may, therefore, be inclined to open it without due concern. But, if you do open the attachment, a popup message will state that you must enable macros before the file can be viewed correctly.

If you do enable macros as suggested, a malicious macro can then run. The macro can download further malware components and install them on your computer. Once installed, this malware may steal information such as banking passwords, download even more malware, and allow criminals to take control of the infected computer.

To clarify, a ‘macro’ in this context is a group of instructions that can act as a single command in order to automatically carry out a specified task. Macros can save time by making repetitive tasks easier to achieve. Microsoft Office programs and other types of software allow you to create your own macros as required to aid your workflow.

However, macros can also be used maliciously. In the past, macro virus threats were common. Thankfully, later versions of Microsoft Office disabled macros by default thereby lessening the threat posed by macro viruses. But, online criminals are again using macros to trick people into installing malware. Unless you have a specific need to use macros and are aware of the potential risks, you would be wise to leave macros disabled. 
Emails like this one use simple social engineering tricks to get people to infect their computers. Some people who receive the email may think that their credit card has been fraudulently used to purchase airlines tickets and open the attachment in the hope of getting more information. Some may open the attachment because they think a mistake has been made or are simply curious. And some may have recently purchased American Airline tickets and therefore be especially vulnerable.

Criminals have used very similar ruses in the past to distribute malware. If you receive one of these fake airline ticket emails, do not open any attachments that it contains even if they appear to be innocuous Microsoft Office documents.


Subject: E-Ticket Confirmation

American Airlines ETicket Malware Email

Attached file: ‘ticket_AA77799543.doc’

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,