Wednesday, April 4, 2012

US Airways Spam Fueling ZeuS Trojan Infections

US AirwaysIf you didn’t learn not to click on links embedded in Delta Air Lines spam, then perhaps the new US Airways spam campaign will teach you.

Kaspersky Lab Expert Dmitry Tarakanov warns that cybercrooks are spamming out bogus US Airways check-in emails in hopes of infecting the machines of gullible recipients with the popular ZeuS banking Trojan.

Here’s a sample email:

US Airways Spam
Image Credit: Kaspersky Lab

US Airways

You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). Then, all you need to do is print your boarding pass and head up to the gate.

Confirmation code: XXXXXX (random number)
Check-in online: Online reservation details


Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012

We are committed to protecting your privacy. Your information is kept private and confidential. For more information about our privacy policy visit

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281, Copyright US Airways, All rights reserved

From what I can tell, the confirmation code in the email appears to be random; however, the departure city and time seems to be standard.

Clicking the ‘Online reservation details’ link will take you to a malicious third-party site housing the widely-used Blackhole exploit kit, which will attempt to exploit Java, Adobe Flash Player or Adobe Reader in order to deliver the ‘Gameover’ build of the ZeuS/Zbot Trojan.

All of this will happen quietly in the background as the user curiously stares at the lonely ‘Loading..’ text occupying the page.

Of course, once the malware makes its way onto your machine, it will begin stealing sensitive online banking information, which will then be uploaded to a remote server controlled by the attackers.

US Airways is aware of the bogus spam circulating and has posted a warning on their website and Facebook page. US Airways advises users to hover their mouse over the link to check the underlying URL, which will have ‘’ as the domain name if it is legitimate.

If you receive the email and notice that the URL for the link doesn't match, feel free to delete it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment