Airlines warn customers of infected ticket invoices

Several airlines, including Delta and Northwest, have warned customers that bogus e-mails posing as ticket invoices contain malware and urged them to immediately delete the messages.

A researcher at McAfee confirmed the campaign in a post to the company's blog.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a login username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.

However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia, according to McAfee's threat researcher Craig Schmugar. McAfee has pegged the malware as "Spy-Agent.bw," but other security firms have given it different names. Symantec, for example, has labeled the same Trojan as "Infostealer.Monstres."

Infostealer.Monstres first made a name for itself almost a year ago, when it was used to rip off more than 1.6 million customer records from Monster Worldwide, the company that operates the popular Monster.com recruiting Web site.

"Customers should be aware that these e-mails are not coming from the airline," said Northwest Airlines' vice president of e-commerce, Al Lenza, in a statement last week. "NWA itineraries are specific and contain information that a customer will recognize. If the format does not look familiar to you, and you have not recently purchased a ticket, do not open the attachment. Delete the e-mail right away."

Other airlines that issued warnings include Delta Airlines of Atlanta, Sun Country Airlines of Mendota Heights, Minn., and Midwest Airlines of Milwaukee. "Be assured that Sun Country did not send this email, and charged nothing to your credit card," an alert posted to the Sun Country site read. "We have reported these emails to Yahoo, Hotmail, and the United States Computer Emergency Readiness Team."

Earlier last week, McAfee raised the alarm about a similar spam run of e-mails harboring the same Trojan. That campaign, however, sent messages posing as invoices from package delivery company United Parcel Service of America (UPS).

Computerworld is an InfoWorld affiliate.