The phishing email is sent from the spoofed address "American Airlines," the FBI noted, and features the AA logo and an HTML skin with a button to click. But it doesn’t look like official AA emails, lacking the formatting and professional look of the real thing.
The malware was first discovered by MX Lab in November, when it intercepted some samples of fake order confirmation emails with links that lead the user to a host with an embedded Javascript that will download the malicious payload: a ZIP file with the innocuous name of AA_Electronic_Ticket.zip. That extracts to AA_Electronic_Ticket.exe, which installs a trojan is known as Spyware/Win32.Zbot, Win32/TrojanDownloader.Zortob.B or Trojan.Generic.KDV.783582.
The HTML also, bizarrely, contains three paragraphs of nonsensical text hidden from the user. A sample:
“Youl aske me why I rather choose to haue A weight of carrion flesh, then to receiue Three thousand DucatsIle not answer that But say it is my humor; Is it answered What if my house be troubled with a Rat, And I be pleasd to giue ten thousand Ducates To haue it baind What, are you answerd yet Some men there are loue not a gaping Pigge Some that are mad, if they behold a Cat And others, when the bag-pipe sings ith nose, Cannot containe their Vrine for affection. Masters of passion swayes it to the moode Of what it likes or loaths, now for your answer As there is no firme reason to be rendred Why he cannot abide a gaping Pigge…”
The attack has lingered on, sparking the FBI warning. The bottom line? If you haven't ordered a ticket from American Airlines, then don't click the link. And if you have, remember that there is no such thing as a downloadable e-ticket – any correspondence asking you to do so rather than view your information online should serve as a red flag.