dcutcher

R received this in his e-mail:

From: American Airlines [mailto:<redacted>]
Sent: Thursday, August 28, 2008 09:07
To: XXXXXXXXXX
Subject: Your Online Flight Ticket N 87865

Dear customers
Thank you for using our new service "Buy flight ticket Online" on our
website.
Your account has been created:

Your login: XXXXXXXXX
Your password: XXXXXXX

Your credit card has been charged for $610.01.
We would like to remind you that whenever you order tickets on our website
you get a discount of 10%!
Attached to this message is the purchase Invoice and the airplane ticket.
To use your ticket, simply print it on a color printed, and you are set to
take off for the journey!

Kind regards,
American Airlines


R has no flights planned nor ticketed with AA. Clearly phishing.

Mod note: Please read Post #3 in this thread to quickly find out everything about your email.

Also this is useful information from Post #40

Quote:

As it says on the Fraudulent Emails page on aa.com, "If you receive this type of email, you should not click on any links, open any attachments, call phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to [email protected] so that we can investigate further."

1. Keep the original subject line in the forward, and include the full text body.

2. Include the complete e-mail header -- Email programs often display abbreviated headers, but the link below will show you how to see the full e-mail header, at least with most e-mail programs:

http://www.haltabuse.org/help/headers/index.shtml

icurhere2

Not phishing, but probably virus or malware - AA doesn't send mail from "<redacted>"

SoulFlyer

This is the chunk I'd be worried about:

Clearly, that isn't even proper English. In reality, they are trying to get you to open the attachment, which contains at least one Trojan Horse.

I'd delete it, then purge it from the server.

Article on this particular Email:

http://www.savvywallet.com/2008/07/3...ticket-online/

Here is the Google ref on it:

http://www.google.com/search?q=%22Th...006-16,GGGL:en

When in doubt, just grab a few of the middle words of one of these, wrap quotes around them, and stick them in to Google. The top results will usually tell you exactly what is going on.

-SF

bernardd

I got a similar message allegedly from Sun Country this morning. Mine had a zip file attached that I declined to open. Has anyone worked out what the sender gets from this?

Edited to add : thanks for the explanation SoulFlyer!

dadew

This should be reported to AA, but AA does not appear to publish the address of their suspected-phishing-site mailbox. Does anyone know what it is?

SmilingBoy

What does AA have to do with it? They can't stop this in any way.

Aus_Mal

This email is not phishing, rather it is part of a ~3 week spammed malware run. Many different airlines have been used, as well as Fedex, Customs (You have a package waiting) and a few other guises.

Just delete the email and move on. AA don't want to see it - they already know about it.

brp

No, but companies usually like to know about these things so that they can alert their customers if the issues are widespread.

Cheers.

YVR Cockroach

AA can do nothing. It's not phishing as it isn't diverting you to a site pretending to be AA. It's just a method being used to deliver some malware payload if you do click on the zip file. Could be keystroke logging, zombie, back orifice, virus or whatever.

Mark_T

These have been going out for some days now and have used the names of all the common airlines so AA is in no way a particular target.

jrockway

Basically, treat anything that's not personally addressed to you as a virus or scam. When my bank e-mails me, they include the last four digits of my customer number. When AA e-mails me, they include my name. The lack of information like this is extremely suspicious, and I usually just delete the e-mail. If there's some important legal matter that needs my immediate attention, it's going to show up via certified post, not e-mail. So I'm not too worried about deleting something important.

I guess a scammer could include personal information, but I've never seen it happen convincingly. These people can't even use correct grammar. I do sometimes get e-mails like "Jon, increase the page rank of your website", but that's because my e-mail address is jon@my domain. If they guess my last name and are pretending to be someone I do business with, then they might convince me. But that has never happened

</off topic>

This is also suspect:

I wish!

Joka

Does this mean I didn't win 27 billion dollars from the Nicaraguan lottery? And what about the 33 million I was promised from some Nigerian prince??

ricktoronto

I work for a very large company - when there is a phishing scam we take steps to take down the server hosting the phishing site often in a few hours even when they have been in Russia (common) . Of course AA can do something about it.

It does not have to be a phishing attempt in that the URL is spoofed to look like ours - e-mail purporting to be from us with a link back to the payload is as easy to deal with as a server alleging to be us. There is a bogus server somewhere and they are pretty easy to find.

Do you just make up questions or do you have even a scintilla of actual experience or proof? I always wonder when "experts" answer from the hip.

joshuaw2

AA had a link to this information a few days ago on their home page. I cannot seem to find it now under their news section and double checked my email in case it was there too. Either way, AA knows about this issue and posted about it.. I think it was 4 days ago I read it.

Aus_Mal

Do you really think they can? Do you understand what the issue is here?

A criminal gang (similar, probably one of the same ones who target your organisation) is currently sending out Trojans over email. They have been doing this in different guises for several weeks. Huge runs of these pieces of malware, and changing them every 12 hours or so.

Now, the purpose behind it is to get users to run the attachment, which installs rootkit technology to hide it's processes and attempts to download other files.

I presume the real intent is to download other bots to create a Botnet for DDOS/Spam purposes.

So AA (if they were inclined) could investigate and get the download sites disabled. But that won't stop the constant spam runs of these trojans, or stop users from being harmed. The subject line of the spams changes often. Many different airlines have been targetted, so have Fedex, so have UPS, so has Customs, so has different other bait lines.

There is nothing AA can do about this threat. They already know about it.