Spoofed Delta Airlines emails contain trojan

Share this article:
Updated Friday, Feb. 27, 2009 at 5:35 p.m. EST

Emails spoofed to look like they are coming from Delta Airlines to confirm a ticket purchase are attempting to infect users with a trojan, according to a Belgium-based security firm.

The fake emails instead contain a ZIP attachment, which, if clicked, installs a data-stealing trojan, Peter Louies, manager at email security vendor MX Lab, told SCMagazineUS.com Friday.

Delta posted an advisory on its website alerting users of these fraudulent emails and warning them not to open the attachment.

"These emails did not originate with Delta, nor do we believe that any personal information that our customers provided to us was used to generate these emails," the advisory says.

The trojan, named W32/Trojan2.FXRO, has the characteristics of Zbot – a banking trojan, Louies said. It will try to steal sensitive and personal information, such as login IDs and passwords. In most cases, trojans such as these also can connect to other hosts and install additional malware without alarming the user, Louies said.

The attack likely originates in Russia, but the messages are likely coming from compromised hosts, Louies said.

A technique called email address spoofing was used to cover the tracks of the real sender, he said. The emails always have two "From" addresses, with the real "From" address sent in the SMTP protocol communication level, not seen by the user.

The spoofed "From" address, support@delta[dot]com, was included inside the email and is visible to the receiver, making the messages appear to be coming from Delta, Louies said.

Louies said that since MX Lab is a small email security firm it is very difficult to specifically define the impact of this malicious email and how widespread it is worldwide.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.