Fake 'KLM e-Ticket' attempts to install backdoor

Fake airline e-ticket emails containing malicious attachments are far from new. However, the Websense® ThreatSeeker® Network has detected a significant campaign purporting to originate from KLM, the Dutch flagship airline. We estimate we intercepted more than 850,000 messages from this campaign on Monday, September 17, alone.

Each malicious message, with a subject 'KLM e-Ticket', appears to use a legitimate KLM e-ticket layout, but itinerary information is not displayed. Instead, users are enticed to view the itinerary in an attachment and subsequently risk compromising their machines. Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim. Websense customers are protected from this and other threats by ACE™, our Advanced Classification Engine.

We analyzed a sample set of messages, and noted that each 'e-ticket' contained unique values in the passenger and receipt sections (presumably an attempt to avoid detection), along with a malicious zipped attachment named 'KLM-e-Ticket_.zip'.

Two different malicious binaries have been extracted from the attachments in this campaign. Both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000. Although both of these binaries are attempting to trick users into believing that the file is a PDF file, neither uses an Adobe Reader or similar icon!

It is worth noting that the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted filenames.

Websense ThreatScope™, our online sandbox, also flags the files' behavior as suspicious.