Email claims that the recipient has purchased an airline ticket online and should open an attached file to view an invoice and print out the ticket (Full commentary below).
False – Attachment contains a trojan
Subject: E-ticket #4731381568
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:
Your login: [email address]
Your password: passDFL6
Your credit card has been charged for $493.67.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
This unsolicited email supposedly advises the recipient that his credit card has been charged for an airline ticket ordered via a specified airline’s online ticket service. The message instructs the recipient to open an attached file in order to view an invoice and print out the purchased ticket.
However, the email is not from an airline and the claim that the recipient’s credit card has been used to purchase an airline ticket is untrue. The attachment that arrives with the email does not contain an invoice or airline ticket. Instead, opening the attachment can install a variant of the ZBot trojan on the user’s computer. The trojan creates files on the infected computer, modifies the Windows registry and allows backdoor connections to and from a remote server.
The malicious email users the names of several different airlines and the amount supposedly charged to the user’s credit card may also vary. The message is designed to panic recipients into opening the attachment without due care and attention. Believing that their credit card has been mistakenly charged for an airline ticket that they did not order, some recipients may open the attachment in the hope of gaining more information about the supposed purchase.
If you receive this email, or one similar to it do not open any attachments that it may carry or click on any links that the message may contain.
Last updated: 29th July 2008
First published: 29th July 2008
By Brett M. Christensen