Spammers take advantage of vacation mood this Holiday Season (December 19, 2013)


We have reached the time of the year that is filled with festivity, celebrations, shopping and holidays. Owing to these reasons and the fact that it is the year end, December is commonly associated with people making travel plans to visit home or to just take a break from work. Spammers are capitalizing on this fact and spreading spam under the guise of Airline Tickets, using emails that pose to be coming from Airlines confirming an individual’s itinerary.

Some of the common subjects we observed for this spam campaign include:

  • Order #(alphanumeric number) is processed
  • Download your ticket #(alphanumeric number)
  • Please download your ticket #(alphanumeric number)
  • Ticket is ready
  • Your order #(alphanumeric number) has been completed

The e-mails have almost similar content in the body as seen below:

Upon opening the attachments we observed a malicious executable with Microsoft Word icon in majority of the cases. This is created so as to fool the victim into believing its coming from the Airlines conforming the ticket.

We have observed a high number of these spam emails over the last few days, some numbers are as shown below:

We observed a number of different malware families like Tepfer, Zortob, Kuoloz, Dofoil as part of the attachment for this spam campaign.

The following HeatMap shows the distribution of this attack:

We have observed a large number of hits over the last few days for this spam campaign and its still active as seen below:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Kuluoz.D(Trojan)
  • GAV: Kuluoz.D#email (Trojan)
  • GAV: Kuluoz.D#email_2 (Trojan)
  • GAV: Tepfer.ETD (Trojan)
  • GAV: Dofoil.R_10 (Trojan)
  • GAV: Dapato.D_2 (Trojan)
  • GAV: Kryptik.BQUP_2 (Trojan)
  • GAV: Zortob.B_66 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.