September 21, 2012

Fake 'KLM e-Ticket' attempts to install backdoor

Carl Leonard Principal Security Analyst

Fake airline e-ticket emails containing malicious attachments are far from new. However, the Websense® ThreatSeeker® Network has detected a significant campaign purporting to originate from KLM, the Dutch flagship airline. We estimate we intercepted more than 850,000 messages from this campaign on Monday, September 17, alone.

Each malicious message, with a subject 'KLM e-Ticket', appears to use a legitimate KLM e-ticket layout, but itinerary information is not displayed. Instead, users are enticed to view the itinerary in an attachment and subsequently risk compromising their machines. Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim. Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

We analyzed a sample set of messages, and noted that each 'e-ticket' contained unique values in the passenger and receipt sections (presumably an attempt to avoid detection), along with a malicious zipped attachment named 'KLM-e-Ticket_<NumericalValue>.zip'.

Two different malicious binaries have been extracted from the attachments in this campaign. Both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000. Although both of these binaries are attempting to trick users into believing that the file is a PDF file, neither uses an Adobe Reader or similar icon!

It is worth noting that the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted filenames.

Websense ThreatScope™, our online sandbox, also flags the files' behavior as suspicious: http://aceinsight.websense.com/fileanalysisreport.aspx?rid=91198D21288F4CE384D7D80D983A1E86

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.