New spam mail campaign purporting to originate from KLM, the Dutch flagship airline, leads to malware infection. Websense intercepted more than 850,000 messages from this campaign on Monday, September 17, alone.
The mail looks pretty believable as it uses a legitimate KLM e-ticket layout,but itinerary information is not displayed. Users are asked to do view the itinerary in an attachment.
Websense researchers have analyzed two malicious binaries extracted from two different attachments used in this campaign, and have discovered that they both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000.
Both of these binaries has double extension(.pdf.exe) and Adobe Reader icon in order to trick users into believing that the file is a PDF file.
According to the researchers, the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted file names.
"Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim." researcher said.
The mail looks pretty believable as it uses a legitimate KLM e-ticket layout,but itinerary information is not displayed. Users are asked to do view the itinerary in an attachment.
Websense researchers have analyzed two malicious binaries extracted from two different attachments used in this campaign, and have discovered that they both binaries are named 'KLM-e-Ticket.pdf.exe' and both allow remote shell (command line) access to the compromised machine via telnet to port 8000.
Both of these binaries has double extension(.pdf.exe) and Adobe Reader icon in order to trick users into believing that the file is a PDF file.
According to the researchers, the same binaries have been used in recent 'Microsoft Services Agreement' and 'Telstra Online Account' campaigns based on submitted file names.
"Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim." researcher said.
