I've been getting these since around August or September this year, mostly masquerading as either American Airlines or Northwestern.

i started getting these around 6 months ago, with various different email subjects being tried since then, all with an attached zip file of around 40-80k.

Who falls for this? Really? This is nothing to do with technological know-how, this is recieveing airline tickets you didn't order and believing it. Doesn't anyone who's been using the internet for more than 10 minutes know you shouldn't open attachments from a source you don't know or trust?

It's taken someone a long time to spot these messages, which I have been clearing out of my inbox since the end of Summer! First one, I thought was genuine and sent back asking for it in a non-Windows-specific format (there was an .exe file inside the .zip container). When some more started appearing, I realised what they were.

WTF? The zip file is simply a benign container for a trojan executable. And who on earth with more than two brain cells to rub together is then going to execute the extracted program just received in spam?? To me, this is the biggest mystery about the whole Windows "malware epidemic"...

Neither US Airways, nor American Airlines nor Northwestern would spell the word "color" using the British "colour".

Unless of course you're deliberately spreading FUD for the hell of it:

>"The mendacious "ticket receipt" messages have a .zip file attached to them which, if opened on an unprotected Windows PC, results in infection by a Trojan horse!"

Now, is that /actually/ true, or is it bullshit? Is it actually a corrupt zip file that exploits an overflow in the decoder and immediately executes code, or have you merely seriously misdescribed the situation and what you really meant to say was:

>"The mendacious "ticket receipt" messages have a .zip file attached to them which, if opened WILL REVEAL A FILE WHICH IF EXTRACTED FROM THE ARCHIVE AND THEN EXECUTED on an unprotected Windows PC, results in infection by a Trojan horse!"

Please do clarify. And don't try blaming it on the subbie, we know you don't employ any!

But I gave the emails the 'cold shoulder' and 'iced' the attachments.

come on.

If anyone gets infected by this, they shouldn't be allowed on the intartubes.

Seriously, want to drop 90% of traffic? if your isp detects malware coming out of your IP address, your user id should be cut off, until your machine is cleaned.

And to open attachments of ANY kind. is just dumb. EMAIL IS NOT A FILE TRANSFER PROTOCOL PEOPLE!!!!! FTP IS!!!!!

Yes, there was a malware attack spammed out in the summer which was similar in its use of the airline ticket disguise (I refer to it in my blog entry on the Sophos website at http://www.sophos.com/blogs/gc/g/2008/12/04/email-malware-flying-high/), but this is a new campaign which has some new characteristics - and is spreading different malware.

Why are they using such a similar cloak of disguise? Well, a simple reason - it worked before, so they're banking that it will work again. :(

This isn't about believing that you've been sent air tickets you never ordered, but believing that either an airline has screwed up or (most likely) that someone else has used your credit card to make a purchase. Naturally people get so affronted that they open the attached file without thinking of the possible security consequences.

Other commenters obviously have no idea of the computer ignorance of users. Often a user doesn't know the difference between an application and "the computer" and doesn't know the difference between whatever their homepage has been set to (MSN, Yahoo etc) and "the internet".

It is hard not to patronise, but the ones I know are not in the least stupid. You have to face the fact that lots of people find it really hard to cope with anything technical. You can explain it to them but the information just doesn't "stick". Given enough time and training, eventually some of this group will acquire enough of a concept of how computers work to be able to slot in new information and retain it. But it's hard work!

Nice juxtaposition of Swan's and Stile's posts above.

I guess a clever spammer could try to raid the mailing lists of the airlines and only target known users.

Unprotected machines --- I'm using Avast and that picks up things like dodgy zip files with no problem.

If people can't even be arsed to run free software then maybe they sort of deserve it (slight caveat here as there are plenty of people who get new machines and believe that they are protected for life and not as long as the free bloatware subscription lasts).

that some recipients will have recently booked flights which goes some way to excusing them opening the zip (but not then running an executable!).

That name is too close to InfoZIP.

...get through Symantec protection, that is, usually if they are in a zip (I'm continuing to use Symantec until my subscription runs out). But several copies of MyDoom have been detected in emails this week - attached to messages claiming that my email 'could not be delivered'.

The airline receipts and fake contracts have been arriving here for some months, same as others report. And there have been some fake statements of account.