Malware delivered with fake hotel reservations

We wrote last week about Malware delivered with fake Craigslist fax-to-email notifications.This week’s malware delivery mechanism is a fake email notification from the well-known online hotel reservations portal booking.com.

 

The malware is delivered when you click on “Print Booking Details” via an archive which should contain the form with the reservation details. In order to fool the user to open and execute the binary file, the email contains the following text:

However in order to guarantee its keeping, you have to refresh the credit card date during 36 hours after this message receiving.

In order to create a feeling of emergency, the email also contains a warning of what would happen if the user doesn’t “print” the booking receipt:

If you do not update your credit card date, a penalty for reservation cancellation or prepayment of  126$, which is provided under the terms of booking will be imposed.

You, as a reader of this security blog, know that you should never, ever open attachments of emails, especially,  from emails that you never requested. And, if the attachment is a ZIP file and if in that file you see an executable (.exe, .pif, .scr, .com) or a known file associated with an executable (e.g.: .swf, .pdf, .jar) then you should immediately delete the email.

In this case, the executable is a Trojan detected by all Avira products as TR/Agent.23552.280.  This program downloads additional malware from various URLs and transforms you computer in a bot.

At the moment of writing this article the malicious payload is detected only by a couple of AV products (according to VirusTotal). I assume that the detection will be slowly rolled out by all products. In the meanwhile, stay safe and keep you Avira product up to date.

 

Sorin Mustaca

IT Security Expert