Pass along a news tip by clicking HERE.

Thursday, July 31, 2008

Dubious Delta Air Lines Ticket Invoices Appear: From Russia With Malice, They Steal Computer Data

CINCINNATI (TDB) -- A researcher at McAfee Inc. reports that e-mails seeming to be electronic ticket invoices from Delta Air Lines and other major carriers are fakes. This should send shivers through SW Ohio and metro Cincinnati, which is home to a major Delta hub. The bogus invoices are infected with computer malware that is capable of filching data including keystrokes. The info is reportedly transmitted to Russia. The job site was targeted a year ago when personal information from 1.6 million entries reportedly was taken.

McAfee, which develops and sells computer protection programs, issued its warning last week, "Unsurprisingly those behind the recent attacks continued today with new spam campaigns involving airline ticket invoices." Computer World says Delta and Northwest -- the airline it is moving to merge with -- are advising customers to immediately delete any suspicious messages. Computer World's Greg Keizer reported two days ago:

"The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" sercie on the airline's site, provide a long-in username and password, and say the person's credit card has been charged an amount in the $400 range. An attachment claims to be the invoice for the credit card charge.

"However, the .zip file format attachment is a Trojan hourse that steals information, including keystrokes from the infected Windows PC . . . McAfee has pegged the malware as ',' but other security firms have given it different names. For example, Symantec Corp. has labeled the same Trojan horse and "Infostealer.Monstres."

Last August, the malware attacked the job-search site. Symantec said "personal information" from hundreds of thousands of people was taken:

"Yesterday, we analyzed a sample of a new Trojan, called Infostealer.Monstres, which was attempting to access the online recruitment Web site, It was also uploading data to a remote server. When we accessed this remote server, we found over 1.6 million entries with personal information belonging to several hundred thousand people. We were very surprised that this low profile Trojan could have attacked so many people, so we decided to investigate how the data could have been obtained.

"Interestingly, only connections to the and subdomains were being made. These subdomains belong to the “Monster for employers” only site, the section used by recruiters and human resources personnel to search for potential candidates, post jobs to Monster, et cetera. This site requires recruiters to log in to view information on candidates.

"Upon further investigation, the Trojan appears to be using the (probably stolen) credentials of a number of recruiters to login to the Web site and perform searches for resumes of candidates located in certain countries or working in certain fields. The Trojan sends HTTP commands to the Web site to navigate to the Managed Folders section. It then parses the output from a pop-up window containing the profiles of the candidates that match this recruiter’s saved searches."

No comments:

Post a Comment