Spammers take advantage of vacation mood this Holiday Season

December 19, 2013

We have reached the time of the year that is filled with festivity, celebrations, shopping and holidays. Owing to these reasons and the fact that it is the year end, December is commonly associated with people making travel plans to visit home or to just take a break from work. Spammers are capitalizing on this fact and spreading spam under the guise of Airline Tickets, using emails that pose to be coming from Airlines confirming an individual's itinerary.

Some of the common subjects we observed for this spam campaign include:

  • Order #(alphanumeric number) is processed
  • Download your ticket #(alphanumeric number)
  • Please download your ticket #(alphanumeric number)
  • Ticket is ready
  • Your order #(alphanumeric number) has been completed

The e-mails have almost similar content in the body as seen below:

Upon opening the attachments we observed a malicious executable with Microsoft Word icon in majority of the cases. This is created so as to fool the victim into believing its coming from the Airlines conforming the ticket.

We have observed a high number of these spam emails over the last few days, some numbers are as shown below:

We observed a number of different malware families like Tepfer, Zortob, Kuoloz, Dofoil as part of the attachment for this spam campaign.

The following HeatMap shows the distribution of this attack:

We have observed a large number of hits over the last few days for this spam campaign and its still active as seen below:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kuluoz.D(Trojan)
  • GAV: Kuluoz.D#email (Trojan)
  • GAV: Kuluoz.D#email_2 (Trojan)
  • GAV: Tepfer.ETD (Trojan)
  • GAV: Dofoil.R_10 (Trojan)
  • GAV: Dapato.D_2 (Trojan)
  • GAV: Kryptik.BQUP_2 (Trojan)
  • GAV: Zortob.B_66 (Trojan)