Last edit by: JDiver
MODERATOR NOTE Wikipost instructions: members can minimize or maximize Wikipost by clicking on [-] or [+] box upper right of post; moderators may update it.
AA warns of phishing attempts to secure personal information for fraudulent activity. Many look like an e-mail with an attached ticket the recipient has allegedly purchased.
● DO NOT CLICK on any links, including to the attachment, and do not call any number or follow any instructions, within the e-mail.
● DO forward a copy of the email, including the header to [email protected] so that AA can investigate further.
/American AAdvantage Forum Moderation Team
AA warns of phishing attempts to secure personal information for fraudulent activity. Many look like an e-mail with an attached ticket the recipient has allegedly purchased.
● DO NOT CLICK on any links, including to the attachment, and do not call any number or follow any instructions, within the e-mail.
● DO forward a copy of the email, including the header to [email protected] so that AA can investigate further.
1. Keep the original subject line in the forward, and include the full text body.
2. Include the complete e-mail header if possible, -- Email programs often display abbreviated headers, but this link will show you how to see most full e-mail headers.
● Link to aa.com page on phishing and fraud attempts2. Include the complete e-mail header if possible, -- Email programs often display abbreviated headers, but this link will show you how to see most full e-mail headers.
/American AAdvantage Forum Moderation Team
Fake AA E-mail Warning! Phishing, malware, fraud, bogus, spoof etc. (consolidated)
#1
Original Poster
Join Date: Oct 2003
Programs: MP, 1K 1MM
Posts: 1,255
Fake AA E-mail Warning! Phishing, malware, fraud, bogus, spoof etc. (consolidated)
R received this in his e-mail:
From: American Airlines [mailto:<redacted>]
Sent: Thursday, August 28, 2008 09:07
To: XXXXXXXXXX
Subject: Your Online Flight Ticket N 87865
Dear customers
Thank you for using our new service "Buy flight ticket Online" on our
website.
Your account has been created:
Your login: XXXXXXXXX
Your password: XXXXXXX
Your credit card has been charged for $610.01.
We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!
Kind regards,
American Airlines
R has no flights planned nor ticketed with AA. Clearly phishing.
Mod note: Please read Post #3 in this thread to quickly find out everything about your email.
Also this is useful information from Post #40
From: American Airlines [mailto:<redacted>]
Sent: Thursday, August 28, 2008 09:07
To: XXXXXXXXXX
Subject: Your Online Flight Ticket N 87865
Dear customers
Thank you for using our new service "Buy flight ticket Online" on our
website.
Your account has been created:
Your login: XXXXXXXXX
Your password: XXXXXXX
Your credit card has been charged for $610.01.
We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!
Kind regards,
American Airlines
R has no flights planned nor ticketed with AA. Clearly phishing.
Mod note: Please read Post #3 in this thread to quickly find out everything about your email.
Also this is useful information from Post #40
As it says on the Fraudulent Emails page on aa.com, "If you receive this type of email, you should not click on any links, open any attachments, call phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to [email protected] so that we can investigate further."
1. Keep the original subject line in the forward, and include the full text body.
2. Include the complete e-mail header -- Email programs often display abbreviated headers, but the link below will show you how to see the full e-mail header, at least with most e-mail programs:
http://www.haltabuse.org/help/headers/index.shtml
1. Keep the original subject line in the forward, and include the full text body.
2. Include the complete e-mail header -- Email programs often display abbreviated headers, but the link below will show you how to see the full e-mail header, at least with most e-mail programs:
http://www.haltabuse.org/help/headers/index.shtml
Last edited by JDiver; Jan 13, 2012 at 9:03 am Reason: edit back in original thread / post title/ delete faked e-mail return
#2
FlyerTalk Evangelist
Join Date: Jun 2008
Location: Rural TN (but WAS native)
Programs: National Executive Elite, none of the others matter
Posts: 23,823
#3
Join Date: Jan 2007
Location: LAS
Programs: Aegean Miles & Bonus Gold, HHonors Gold, Starwood Gold
Posts: 300
Virus
This is the chunk I'd be worried about:
Clearly, that isn't even proper English. In reality, they are trying to get you to open the attachment, which contains at least one Trojan Horse.
I'd delete it, then purge it from the server.
Article on this particular Email:
http://www.savvywallet.com/2008/07/3...ticket-online/
Here is the Google ref on it:
http://www.google.com/search?q=%22Th...006-16,GGGL:en
When in doubt, just grab a few of the middle words of one of these, wrap quotes around them, and stick them in to Google. The top results will usually tell you exactly what is going on.
-SF
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!"
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!"
I'd delete it, then purge it from the server.
Article on this particular Email:
http://www.savvywallet.com/2008/07/3...ticket-online/
Here is the Google ref on it:
http://www.google.com/search?q=%22Th...006-16,GGGL:en
When in doubt, just grab a few of the middle words of one of these, wrap quotes around them, and stick them in to Google. The top results will usually tell you exactly what is going on.
-SF
Last edited by JDiver; Oct 30, 2012 at 10:20 am Reason: ad quote box
#4
Join Date: Jan 2007
Location: Mostly AUS or rural England
Programs: BAEC redundant Bronze, AAdvantage Lifetime PLT, CO, WN, B6
Posts: 6,526
I got a similar message allegedly from Sun Country this morning. Mine had a zip file attached that I declined to open. Has anyone worked out what the sender gets from this?
Edited to add : thanks for the explanation SoulFlyer!
Edited to add : thanks for the explanation SoulFlyer!
#5
Join Date: Jan 2007
Posts: 2
This should be reported to AA, but AA does not appear to publish the address of their suspected-phishing-site mailbox. Does anyone know what it is?
#6
Join Date: Sep 2005
Location: BRU
Programs: LH SEN, SN Gold, Eurostar Carte Blanche, BA, QF, AF
Posts: 6,856
#7
Join Date: Dec 2004
Location: London
Posts: 6,265
This email is not phishing, rather it is part of a ~3 week spammed malware run. Many different airlines have been used, as well as Fedex, Customs (You have a package waiting) and a few other guises.
Just delete the email and move on. AA don't want to see it - they already know about it.
Just delete the email and move on. AA don't want to see it - they already know about it.
#8
FlyerTalk Evangelist
Join Date: Mar 2004
Location: SJC
Programs: AA EXP, BA Silver, Hyatt Globalist, Hilton diamond, Marriott Platinum
Posts: 33,533
#9
FlyerTalk Evangelist
Join Date: Nov 1999
Programs: FB Silver going for Gold
Posts: 21,803
AA can do nothing. It's not phishing as it isn't diverting you to a site pretending to be AA. It's just a method being used to deliver some malware payload if you do click on the zip file. Could be keystroke logging, zombie, back orifice, virus or whatever.
#10
Join Date: Feb 2008
Programs: AA EXP
Posts: 3,049
These have been going out for some days now and have used the names of all the common airlines so AA is in no way a particular target.
#11
Join Date: Aug 2007
Location: Chicago
Programs: AA EXP
Posts: 172
Basically, treat anything that's not personally addressed to you as a virus or scam. When my bank e-mails me, they include the last four digits of my customer number. When AA e-mails me, they include my name. The lack of information like this is extremely suspicious, and I usually just delete the e-mail. If there's some important legal matter that needs my immediate attention, it's going to show up via certified post, not e-mail. So I'm not too worried about deleting something important.
I guess a scammer could include personal information, but I've never seen it happen convincingly. These people can't even use correct grammar. I do sometimes get e-mails like "Jon, increase the page rank of your website", but that's because my e-mail address is jon@my domain. If they guess my last name and are pretending to be someone I do business with, then they might convince me. But that has never happened
</off topic>
This is also suspect:
I wish!
I guess a scammer could include personal information, but I've never seen it happen convincingly. These people can't even use correct grammar. I do sometimes get e-mails like "Jon, increase the page rank of your website", but that's because my e-mail address is jon@my domain. If they guess my last name and are pretending to be someone I do business with, then they might convince me. But that has never happened
</off topic>
This is also suspect:
We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
you get a discount of 10%!
#12
Join Date: Sep 2005
Location: BOS
Programs: AA PLT
Posts: 472
Does this mean I didn't win 27 billion dollars from the Nicaraguan lottery? And what about the 33 million I was promised from some Nigerian prince??
#13
Join Date: Aug 2002
Location: YYZ/MGA
Programs: AA 1MM Lifetime Gold, AA Platinum, WS Gold, Marriott Bonvoy Gold
Posts: 7,607
I work for a very large company - when there is a phishing scam we take steps to take down the server hosting the phishing site often in a few hours even when they have been in Russia (common) . Of course AA can do something about it.
It does not have to be a phishing attempt in that the URL is spoofed to look like ours - e-mail purporting to be from us with a link back to the payload is as easy to deal with as a server alleging to be us. There is a bogus server somewhere and they are pretty easy to find.
Do you just make up questions or do you have even a scintilla of actual experience or proof? I always wonder when "experts" answer from the hip.
It does not have to be a phishing attempt in that the URL is spoofed to look like ours - e-mail purporting to be from us with a link back to the payload is as easy to deal with as a server alleging to be us. There is a bogus server somewhere and they are pretty easy to find.
Do you just make up questions or do you have even a scintilla of actual experience or proof? I always wonder when "experts" answer from the hip.
#14
Join Date: Aug 2007
Programs: AAdvantage PLT, HHonors Silver, Pre✓®
Posts: 146
AA had a link to this information a few days ago on their home page. I cannot seem to find it now under their news section and double checked my email in case it was there too. Either way, AA knows about this issue and posted about it.. I think it was 4 days ago I read it.
#15
Join Date: Dec 2004
Location: London
Posts: 6,265
A criminal gang (similar, probably one of the same ones who target your organisation) is currently sending out Trojans over email. They have been doing this in different guises for several weeks. Huge runs of these pieces of malware, and changing them every 12 hours or so.
Now, the purpose behind it is to get users to run the attachment, which installs rootkit technology to hide it's processes and attempts to download other files.
I presume the real intent is to download other bots to create a Botnet for DDOS/Spam purposes.
So AA (if they were inclined) could investigate and get the download sites disabled. But that won't stop the constant spam runs of these trojans, or stop users from being harmed. The subject line of the spams changes often. Many different airlines have been targetted, so have Fedex, so have UPS, so has Customs, so has different other bait lines.
There is nothing AA can do about this threat. They already know about it.