Home Archive ‘Buy Airplane Ticket Online’ Trojan Email

‘Buy Airplane Ticket Online’ Trojan Email

by Brett M. Christensen

Email claims that the recipient has purchased an airline ticket online and should open an attached file to view an invoice and print out the ticket (Full commentary below).

Brief Analysis:
False – Attachment contains a trojan

Subject: E-ticket #4731381568

Good morning,
Thank you for using our new service “Buy airplane ticket Online” on our website.
Your account has been created:

Your login: [email address]
Your password: passDFL6

Your credit card has been charged for $493.67.
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket.
To use your ticket, simply print it on a color printed, and you are set to take off for the journey!

Kind regards,
Trudy Cameron
Northwest Airlines

Detailed Analysis:
This unsolicited email supposedly advises the recipient that his credit card has been charged for an airline ticket ordered via a specified airline’s online ticket service. The message instructs the recipient to open an attached file in order to view an invoice and print out the purchased ticket.

However, the email is not from an airline and the claim that the recipient’s credit card has been used to purchase an airline ticket is untrue. The attachment that arrives with the email does not contain an invoice or airline ticket. Instead, opening the attachment can install a variant of the ZBot trojan on the user’s computer. The trojan creates files on the infected computer, modifies the Windows registry and allows backdoor connections to and from a remote server.

The malicious email users the names of several different airlines and the amount supposedly charged to the user’s credit card may also vary. The message is designed to panic recipients into opening the attachment without due care and attention. Believing that their credit card has been mistakenly charged for an airline ticket that they did not order, some recipients may open the attachment in the hope of gaining more information about the supposed purchase.

If you receive this email, or one similar to it do not open any attachments that it may carry or click on any links that the message may contain.

Last updated: 29th July 2008
First published: 29th July 2008
By Brett M. Christensen
About Hoax-Slayer

ZBot trojan attached to flight ticket confirmation
NWA, Sun: Don’t open e-mail, it’s a scam

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,