Fake Delta Airline Receipts Spread Financial Malware

Spam emails posing as Delta Air payment confirmation emails are spreading financial and banking malware to computers.

According to Heimdal Security firm, a new campaign trying to get access to your financial information was noticed in the wild.

Users are receiving spam emails posing as payment confirmations from Delta Air. As the researchers point out, this is the perfect timing for such a campaign since many people purchase flight tickets this time of year because of the discount rates for the summer trips they plan on taking.

The phishing email is specifically constructed to make you curious. There is no information about the flight included, which is something that such emails normally contain, but there is a link that you are urged to follow. On the other hand, if you pay attention to the email you’ve received, you’ll notice that the email address is wrong, as it comes from @deltaa, instead of @delta.com. Similarly, if you’re a frequent Delta flyer, you’ll know the legitimate emails from the airline look a bit different.

A bridge towards more malware

The whole logic behind this campaign is to make you think that someone has stolen your identity and made a purchase in your name. After all, why else would you be getting a receipt in your Inbox? Panicking will make you follow all the links in the email so you can discover what has happened and just how much this potential issue may cost you.

The links, of course, will direct the victims to compromised websites, hosting Word documents infected with the Hancitor malware. This is a versatile malware, often used in phishing attacks. Once it infects your computer, it acts like a bridge used by criminals to further download malware.

“If you download the malicious Word document and open it, then Hancitor will activate and infect legitimate system processes in your PC using a PowerShell code. Afterward, your PC will connect to one or more malicious Command and Control (C&C) servers,” Heimdal researchers write.

Read more…