Go Back  FlyerTalk Forums > Miles&Points > Discontinued Programs/Partners > American Airlines | AAdvantage (Pre-Consolidation with USAir)
Reload this Page >

Fake AA E-mail Warning! Phishing, malware, fraud, bogus, spoof etc. (consolidated)

Fake AA E-mail Warning! Phishing, malware, fraud, bogus, spoof etc. (consolidated)

  Wikipost is Locked   Hide Wikipost
Old Jun 16, 13, 3:33 am   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: JDiver
Wiki Link
MODERATOR NOTE Wikipost instructions: members can minimize or maximize Wikipost by clicking on [-] or [+] box upper right of post; moderators may update it.

AA warns of phishing attempts to secure personal information for fraudulent activity. Many look like an e-mail with an attached ticket the recipient has allegedly purchased.


DO NOT CLICK on any links, including to the attachment, and do not call any number or follow any instructions, within the e-mail.

● DO forward a copy of the email, including the header to [email protected] so that AA can investigate further.
1. Keep the original subject line in the forward, and include the full text body.

2. Include the complete e-mail header if possible, -- Email programs often display abbreviated headers, but this link will show you how to see most full e-mail headers.
Link to aa.com page on phishing and fraud attempts

/American AAdvantage Forum Moderation Team
Print Wikipost

 
Old Aug 29, 08, 11:51 am
  #1  
Original Poster
 
Join Date: Oct 2003
Programs: MP, 1K 1MM
Posts: 1,255
Exclamation Fake AA E-mail Warning! Phishing, malware, fraud, bogus, spoof etc. (consolidated)

R received this in his e-mail:

From: American Airlines [mailto:<redacted>]
Sent: Thursday, August 28, 2008 09:07
To: XXXXXXXXXX
Subject: Your Online Flight Ticket N 87865

Dear customers
Thank you for using our new service "Buy flight ticket Online" on our
website.
Your account has been created:

Your login: XXXXXXXXX
Your password: XXXXXXX

Your credit card has been charged for $610.01.
We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!

Kind regards,
American Airlines


R has no flights planned nor ticketed with AA. Clearly phishing.

Mod note: Please read Post #3 in this thread to quickly find out everything about your email.

Also this is useful information from Post #40
As it says on the Fraudulent Emails page on aa.com, "If you receive this type of email, you should not click on any links, open any attachments, call phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to [email protected] so that we can investigate further."

1. Keep the original subject line in the forward, and include the full text body.

2. Include the complete e-mail header -- Email programs often display abbreviated headers, but the link below will show you how to see the full e-mail header, at least with most e-mail programs:

http://www.haltabuse.org/help/headers/index.shtml

Last edited by JDiver; Jan 13, 12 at 9:03 am Reason: edit back in original thread / post title/ delete faked e-mail return
dcutcher is offline  
Old Aug 29, 08, 11:57 am
  #2  
FlyerTalk Evangelist
 
Join Date: Jun 2008
Location: Rural TN (but WAS native)
Programs: National Executive Elite, none of the others matter
Posts: 23,820
Originally Posted by dcutcher View Post
R has no flights planned nor ticketed with AA. Clearly phishing.
Not phishing, but probably virus or malware - AA doesn't send mail from "<redacted>"

Last edited by JDiver; Aug 31, 08 at 7:45 am Reason: redacted faked e-mail return address
icurhere2 is offline  
Old Aug 29, 08, 12:20 pm
  #3  
 
Join Date: Jan 2007
Location: LAS
Programs: Aegean Miles & Bonus Gold, HHonors Gold, Starwood Gold
Posts: 296
Virus

This is the chunk I'd be worried about:

Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!"
Clearly, that isn't even proper English. In reality, they are trying to get you to open the attachment, which contains at least one Trojan Horse.

I'd delete it, then purge it from the server.

Article on this particular Email:

http://www.savvywallet.com/2008/07/3...ticket-online/

Here is the Google ref on it:

http://www.google.com/search?q=%22Th...006-16,GGGL:en

When in doubt, just grab a few of the middle words of one of these, wrap quotes around them, and stick them in to Google. The top results will usually tell you exactly what is going on.

-SF

Last edited by JDiver; Oct 30, 12 at 10:20 am Reason: ad quote box
SoulFlyer is offline  
Old Aug 29, 08, 12:22 pm
  #4  
 
Join Date: Jan 2007
Location: Mostly AUS or rural England
Programs: BAEC redundant Bronze, AAdvantage Lifetime PLT, CO, WN, B6
Posts: 6,526
I got a similar message allegedly from Sun Country this morning. Mine had a zip file attached that I declined to open. Has anyone worked out what the sender gets from this?

Edited to add : thanks for the explanation SoulFlyer!
bernardd is offline  
Old Aug 29, 08, 1:23 pm
  #5  
 
Join Date: Jan 2007
Posts: 2
This should be reported to AA, but AA does not appear to publish the address of their suspected-phishing-site mailbox. Does anyone know what it is?
dadew is offline  
Old Aug 29, 08, 1:25 pm
  #6  
 
Join Date: Sep 2005
Location: BRU
Programs: LH SEN, SN Gold, Eurostar Carte Blanche, BA, QF, AF
Posts: 6,856
Originally Posted by dadew View Post
This should be reported to AA, but AA does not appear to publish the address of their suspected-phishing-site mailbox. Does anyone know what it is?
What does AA have to do with it? They can't stop this in any way.
SmilingBoy is offline  
Old Aug 29, 08, 1:27 pm
  #7  
 
Join Date: Dec 2004
Location: London
Posts: 6,245
This email is not phishing, rather it is part of a ~3 week spammed malware run. Many different airlines have been used, as well as Fedex, Customs (You have a package waiting) and a few other guises.

Just delete the email and move on. AA don't want to see it - they already know about it.
Aus_Mal is offline  
Old Aug 29, 08, 1:28 pm
  #8  
brp
FlyerTalk Evangelist
 
Join Date: Mar 2004
Location: SJC
Programs: AA EXP, BA Silver, AS 75K Gold MVP, and some hotel stuff...
Posts: 33,114
Originally Posted by SmilingBoy View Post
What does AA have to do with it? They can't stop this in any way.
No, but companies usually like to know about these things so that they can alert their customers if the issues are widespread.

Cheers.
brp is offline  
Old Aug 29, 08, 1:31 pm
  #9  
FlyerTalk Evangelist
 
Join Date: Nov 1999
Programs: statusless these days
Posts: 20,682
AA can do nothing. It's not phishing as it isn't diverting you to a site pretending to be AA. It's just a method being used to deliver some malware payload if you do click on the zip file. Could be keystroke logging, zombie, back orifice, virus or whatever.
YVR Cockroach is offline  
Old Aug 29, 08, 1:53 pm
  #10  
 
Join Date: Feb 2008
Programs: AA EXP
Posts: 3,049
These have been going out for some days now and have used the names of all the common airlines so AA is in no way a particular target.
Mark_T is offline  
Old Aug 29, 08, 2:14 pm
  #11  
 
Join Date: Aug 2007
Location: Chicago
Programs: AA EXP
Posts: 172
Basically, treat anything that's not personally addressed to you as a virus or scam. When my bank e-mails me, they include the last four digits of my customer number. When AA e-mails me, they include my name. The lack of information like this is extremely suspicious, and I usually just delete the e-mail. If there's some important legal matter that needs my immediate attention, it's going to show up via certified post, not e-mail. So I'm not too worried about deleting something important.

I guess a scammer could include personal information, but I've never seen it happen convincingly. These people can't even use correct grammar. I do sometimes get e-mails like "Jon, increase the page rank of your website", but that's because my e-mail address is [email protected] domain. If they guess my last name and are pretending to be someone I do business with, then they might convince me. But that has never happened

</off topic>

This is also suspect:

We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
I wish!
jrockway is offline  
Old Aug 29, 08, 3:31 pm
  #12  
 
Join Date: Sep 2005
Location: BOS
Programs: AA PLT
Posts: 472
Does this mean I didn't win 27 billion dollars from the Nicaraguan lottery? And what about the 33 million I was promised from some Nigerian prince??
Joka is offline  
Old Aug 29, 08, 5:26 pm
  #13  
 
Join Date: Aug 2002
Location: YYZ/MGA
Programs: AA 1MM Lifetime Gold, AA Platinum, WS Gold, Marriott Bonvoy Gold
Posts: 7,601
Originally Posted by SmilingBoy View Post
What does AA have to do with it? They can't stop this in any way.
I work for a very large company - when there is a phishing scam we take steps to take down the server hosting the phishing site often in a few hours even when they have been in Russia (common) . Of course AA can do something about it.

It does not have to be a phishing attempt in that the URL is spoofed to look like ours - e-mail purporting to be from us with a link back to the payload is as easy to deal with as a server alleging to be us. There is a bogus server somewhere and they are pretty easy to find.

Do you just make up questions or do you have even a scintilla of actual experience or proof? I always wonder when "experts" answer from the hip.
ricktoronto is offline  
Old Aug 29, 08, 7:52 pm
  #14  
 
Join Date: Aug 2007
Programs: AAdvantage PLT, HHonors Silver, Pre✓®
Posts: 146
AA had a link to this information a few days ago on their home page. I cannot seem to find it now under their news section and double checked my email in case it was there too. Either way, AA knows about this issue and posted about it.. I think it was 4 days ago I read it.
joshuaw2 is offline  
Old Aug 29, 08, 10:07 pm
  #15  
 
Join Date: Dec 2004
Location: London
Posts: 6,245
Originally Posted by ricktoronto View Post
I work for a very large company - when there is a phishing scam we take steps to take down the server hosting the phishing site often in a few hours even when they have been in Russia (common) . Of course AA can do something about it.
Do you really think they can? Do you understand what the issue is here?

A criminal gang (similar, probably one of the same ones who target your organisation) is currently sending out Trojans over email. They have been doing this in different guises for several weeks. Huge runs of these pieces of malware, and changing them every 12 hours or so.

Now, the purpose behind it is to get users to run the attachment, which installs rootkit technology to hide it's processes and attempts to download other files.

I presume the real intent is to download other bots to create a Botnet for DDOS/Spam purposes.

So AA (if they were inclined) could investigate and get the download sites disabled. But that won't stop the constant spam runs of these trojans, or stop users from being harmed. The subject line of the spams changes often. Many different airlines have been targetted, so have Fedex, so have UPS, so has Customs, so has different other bait lines.

There is nothing AA can do about this threat. They already know about it.
Aus_Mal is offline  

Thread Tools
Search this Thread