US Airways Spam Redirects to Blackhole, Zeus Infection

Cybercriminals are targeting US Airways customers with malicious spam emails containing a link that, once clicked, initiates a series of redirects, eventually leading users to a domain hosting the Blackhole exploit kit.

Cybercriminals are targeting US Airways customers with malicious spam emails containing a link that, once clicked, initiates a series of redirects, eventually leading users to a domain hosting the Blackhole exploit kit.

The fraudulent email presents itself as a check-in notification from US Airways. After a brief description of check-in procedures, there is a hyperlink that claims to lead to ‘online reservation details,’ but actually ends up taking victims to a page that infects them with the Zeus trojan.

According to Securelist’s Dmitry Tarakanov, the cybercriminals responsible are hopeful that someone receiving this email is flying somewhere sometime soon. However, most of the users targeted were not flying anywhere on the day in question, and, therefore, did not click the link.

This attack campaign is incredibly dynamic. Tarakanov explains that each object – the domains, the links to javascript, the files with exploits, the downloader and the Zeus trojan itself — was frequently changed. The domains were alive for almost 12 hours, while the Zeus samples were replaced more often than that. Tarakanov detected six modifications of the downloader and three modifications of Zeus while observing downloads for a few hours across several days.

Such highly targeted attacks are increasingly commonplace. As non-technical users wise up to the realities of Internet security, attackers and social engineers must find new ways to establish a trust with their victims. Mac users caught a rare glimpse of what targeted attacks look like late last month after a trojan targeting Tibetan non-governmental organizations surfaced.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Discussion

  • Anonymous on

    We have received 3 of these in the last 3 days, and so have several other families in our small town of 300.

  • Anonymous on

    just got 2 seperate emails. pissed they know my email address.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.