The spam contains details about the person’s flight, as well as a confirmation code and a bogus link to see “online reservation details”, Kaspersky researcher Dmitry Tarakanov wrote in a blog.
After clicking on the bogus link, victims are redirected eventually to a domain hosting the Blackhole exploit kit, which is becoming the dominant exploit kit in the cybercrime world. The computer is then infected with Blackhole by exploiting vulnerabilities in Java, Flash Player, or Adobe Reader.
“After successfully exploiting vulnerabilities, an executable file is downloaded from the same domains where the exploits are located. It can be downloaded under different names – about.exe, contacts.exe and others – and is essentially a downloader. When the downloader runs, it connects to its C&C at the URL ‘220.127.116.11/pony/gate.php’, and downloads and runs another malicious program – ZeuS/ZBot or, to be more precise, a modification of one of the development branches of that Trojan known as ‘GameOver’ – on the user’s system”, Tarakanov explained.
The good news is that most of the recipients were not flying on a US Airways flight the day they received the spam, so very few became victims. “Even though this is not the first time they’ve used a flight-related trick, it’s the first time this particular kind of spam has been detected. If the recipients belong to a target audience, they are much more likely to click on a malicious link in an email. However, the majority of users who received these emails were not flying anywhere that day, which is why very few fell for the scam”, he added.