12345

8/02/2011

[Warning] Spread hotel reservation related malicious e-mail

1. Introduction

Malicious e-mails related hotel reservation error has been found recently.
Therefore, general user especially who booked hotel needs to be careful about being infected malicious file from the attachments of e-mail.
Furthermore, one of features of these e-mails is using famous hotel's name illegally.



2. Spreading path and symptoms of infection

In case of this malicious e-mail, it can be received by leaking of e-mail account information such as common spam mails, and its attached malicious file can be downloaded by clicking link on SNS or instant messenger.

Lately found malicious e-mail related hotel reservation error has its various types and emerges with changing its content.

This following figure is about hotel reservation error e-mail.



* Similar malicious e-mails





* Mail body


Subject : Hotel The Westin Oaks made wrong transaction

Dear Guest!

Transaction: Visa 5259_PJ6hD
On July 26th, 2011 Hotel made wrong transaction debiting from your account for an overall amount of $1479.
For noncompliance of the service contract this Hotel was divested accreditation in Moverick Company.
Please see the attached form. You need to fill it in and contact your bank for the return of funds.
You’ll need the attached detalization of your account transactions to apply for the return of funds.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.

Marty Ditolla,
Manager of Reception Desk & Reservation Departament


Attachment : RefundForm***(*** is numbers).zip



Subject : Hotel Sheraton Suites Houston Near The Galleria made wrong transaction

Dear customer!

Transaction: Visa 50734_1Lk
On July 26th, 2011 Hotel made wrong transaction writing-down from your credit card for an overall amount of $1465.
This partner hotel was divested accreditation in Moverick Company with reference of noncompliance of the service contract.
For the return of funds please contact your bank and fill information in the attached form.
In the attachment you will find expense sheet with the sum of wrong transaction decommissioning.
As Company is not responsible for money transactions and acts as intermediary you can seize the court directly to return the funds from the Hotel.
Thank you for understanding. We trust you can solve this unpleasant problem.


Randy Hackathorn,
Manager of Reception Desk & Reservation Departament


Attachment : RefundForm(*** is numbers).zip




Subject : Hotel Westin Princeville Ocean Resort Villas made wrong transaction

Dear Customer!

Transaction: Credit Card 163684_mh
This letter notifies that on July 26th, 2011 Hotel transaction debiting from your account.
Total sum of decommissioning is $1673
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company
this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
In the attachment you will find expense sheet with the sum of wrong transaction
decommissioning.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Sorry for the inconvenience. We trust you can solve this unpleasant problem.


Clematis Delahanty,
Manager of Reception Desk & Reservation Departament


Attachment : RefundForm(*** is numbers).zip




Subject : Hotel The Carlyle, A Rosewood made wrong transaction


Dear customer!


Transaction: Visa 96682816_orvYc
On July 26th, 2011 Hotel made wrong transaction decommissioning from your account for an
overall amount of $1897.
Due to the termination of service contract between Hotel Melia Deviana and Moverick Company
this Hotel was divested accreditation in our company.
For the return of funds please contact your bank and fill information in the attached form.
In the attachment you will find expense sheet with the sum of wrong transaction error of
transaction.
Company just mediates and bears no responsibility for any money transactions made by Hotel.
Sorry for the inconvenience. We trust you can solve this unpleasant problem.


Margery Lovvorn,
Manager of Reception Desk & Reservation Departament


Attachment : RefundForm(*** is numbers).zip

Each e-mail contents are similar.
It induces user to download and execute attachments which consists mainly a price error on reservation.
This following figure is the attachment on decompressed.

 

This following icon is similar as Excel's icon.
It may confuse user and can be executed by user knowing that as an Excel file.

And if you execute this malicious file, it will try to access external site and download additional malicious file.

* Accessed external site list.

- http://(~).ru/forum4/(~)
- http://www.(~).com/
- http://(~).com/(~)/img.php?id=106

* Currently, these sites are not accessible.

* Additionally downloadable malicious file related fake Anti-Virus


This fake Anti-Virus related malicious file uses Tls Callback function, and can be executed after Unpacking with using Packed file generated before threading.

However, in case of this malicious file, it contains parsing about certain external web site URL and cannot be executed.

3. How to prevent

General user can hardly notice something happened in his PC while spreading malicious file with using social engineering.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

* Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats. 

Diagnosis name

- Trojan/W32.Agent.865792.R
- Trojan-Downloader/W32.Injecter.52736
- Trojan/W32.Agent.939008.I

6 comments:

  1. Smartfun has always been renowned for its dynamic nightlife and the local presence of international fame.

    ReplyDelete
  2. Smartfun offer different types of rooms, all with private bath, shower or shower with the curtain wall, wi-fi and tv in all rooms, balcony and / or air conditioning on request (specify it during your reservation)and also provide For your safety, each room is equipped with electronic key and a video surveillance system is present within the structure. In reception there are safe deposit boxes.

    ReplyDelete
  3. I really enjoyed going through your articles. That's true you know what you are talking about! Your site look is beautiful and easy to navigate. I've bookmarked it in my favorites.

    ReplyDelete
  4. Around the clock broadband Internet attachment supplies very good connectivity, so that you can access the online inn registration amenities. You can publication tickets for any purpose be it train reservation, air booking, any concert, videos etc. Thanks for sharing this.

    ReplyDelete
  5. Online hotel booking system can be a great option in offering various themes and layout of the business. Hotel booking is no longer a hassling process with the use of hotel booking system.

    ReplyDelete