- Jan 24, 2011
- 9,379
Security researchers warn about fake emails purporting to come from the Miles & More frequent flyer programme and leading users to a Zbot drive-by download website.
The rogue emails bear a subject of "ITINENERARY RECEIPT" and have their header spoofed to appears as originating from a <!-- e --><a href="mailto:memberservices@miles-and-more.com">memberservices@miles-and-more.com</a><!-- e --> address.
The contained message makes use of an old social engineering trick to trigger the recipients' attention by suggesting their credit cards were charged without their knowledge.
"Thanks for the purchase! Booking number: LVSN50. Your credit card has been charged for $493.67. Please print PASSENGER ITINERARY RECEIPT by logging into your Miles account by clicking the link below," the emails read.
According to researchers from BitDefender who analyzed the attack, the link leads to a page on a religious website that was most likely compromised.
The page contains hidden iframes loading the Neosploit exploit pack from a third-party server. The toolkit performs several checks to determine the version of popular applications installed on the visitor's computer and serves the appropriate exploit.
If successful, the exploit will silently download and execute a generic trojan downloader which will then install a variant of the notorious Zbot information stealing trojan, also known as ZeuS.
Zbot is commonly used by fradusters to steal online banking credentials, as well as other sensitive financial information, from both consumers and companies.
Read more
The rogue emails bear a subject of "ITINENERARY RECEIPT" and have their header spoofed to appears as originating from a <!-- e --><a href="mailto:memberservices@miles-and-more.com">memberservices@miles-and-more.com</a><!-- e --> address.
The contained message makes use of an old social engineering trick to trigger the recipients' attention by suggesting their credit cards were charged without their knowledge.
"Thanks for the purchase! Booking number: LVSN50. Your credit card has been charged for $493.67. Please print PASSENGER ITINERARY RECEIPT by logging into your Miles account by clicking the link below," the emails read.
According to researchers from BitDefender who analyzed the attack, the link leads to a page on a religious website that was most likely compromised.
The page contains hidden iframes loading the Neosploit exploit pack from a third-party server. The toolkit performs several checks to determine the version of popular applications installed on the visitor's computer and serves the appropriate exploit.
If successful, the exploit will silently download and execute a generic trojan downloader which will then install a variant of the notorious Zbot information stealing trojan, also known as ZeuS.
Zbot is commonly used by fradusters to steal online banking credentials, as well as other sensitive financial information, from both consumers and companies.
Read more
