MX Labs Cautions about Fake E-mails Masquerading as Air Canada
According to researchers from MX Labs the security company, spam outbreaks, which abuse Air Canada's name and reputation have been detected presently circulating online and hitting inboxes.
Displaying a spoofed sender's id "Air Canada firstname.lastname@example.org" along with a subject line "Your Order#74267102 - PROCESSED," the bogus electronic mail, addressing the recipient as customer, informs that there has been a perfect processing of his order. Accordingly, the details are: Flight Number: TB739 highlight.2CA, Electronic 74267102; Date and Time: 6th December 2012 at 10.30am; Leaving Toronto; and Ticket rate: Canadian Dollars 375.12.
Thereafter, the e-mail suggests downloading and taking a print out of the ticket by accessing the web-address:
To know further about the order, the message asks the recipient to contact Air Canada at http://www.aircanada.com/en/customercare/index.html?orderid=74267102&ssid=1524.
Finally, expressing thanks on behalf of the airlines, the e-mail signs off.
However, the given web-address rather than take onto the actual site leads the user onto a zipped file named hxxp://air-canada.org/tickets/ticketTB7392CA.zip. When unzipped, this file produces a huge 175KB file named ticketTB7392CA.scr, the researchers outline.
A malware, reportedly involved is Trojan.Agent/Gen-Festo, Trojan-Spy.Win32.Zbot.gtvm, or Trojan.Zbot.
Notably, as per MX Labs, thus far, merely 4 anti-virus engines from the total 46 of VirusTotal managed to recognize the mentioned malware.
Worryingly, it's because of the above kinds of malware-laced junk e-mail outbreaks, which has resulted in an increase in malware online, remark the researchers from MX Labs. This statement gets the backing of data that PandaLabs another security company published within their Q3-2012 i.e. July to September 2012 report that states that Trojans accounted for 72.58% of the entire set of fresh malware during the quarter followed with viruses and worms at 14.47% and 10.53% respectively.
In the meantime, within a likewise spam campaign involving an airlines, though having a different malware, Sophos a security company spotted during the end-week of November 2012 that the spam mail posing as a message from 'Jetstar' an Australian airline told the reader that he may see one flight itinerary after extracting a given Zip file. But in that file there was certain executable containing a malicious program that Sophos identified as Troj/Bredo-AEG.