Time for yet another spam scam email analysis. This time, the scam is an emailed plane ticket. Here's the email I got:
Return-Path: <firstname.lastname@example.org> Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [188.8.131.52]) for <email@example.com>; Mon, 13 Oct 2008 23:23:39 -0700 (PDT) Received: from [184.108.40.206] by brainstem.com.inbound10.mxlogic.net; Tue, 14 Oct 2008 07:23:39 +0100 From: Southwest Airlines <firstname.lastname@example.org> To: <email@example.com> Subject: Your Online Flight Ticket N 45109 Date: Tue, 14 Oct 2008 07:23:39 +0100 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2 Importance: Normal Good day, Thank you for using our new service "Buy flight ticket Online" on our website. Your account has been created: Your login: firstname.lastname@example.org Your password: PASS0PAW Your credit card has been charged for $986.14. We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey! Kind regards, Southwest Airlines Attachment: E-ticket.zip
Let's take a look at the mail headers. Here are a few things to notice:
From: Southwest Airlines <email@example.com>
Hmm. So apparently I'm getting an email from Southwest Airlines. If that is true, why is someone from brainstem.com sending it to me? Clearly, 'brainstem.com' is not Southwest Airlines. It's some Microsoft certified company in Maryland. Clearly this email address is fake. I would suspect the spammers did a couple of things here.
- Picked the name of an American airline company, likely at random. This time they choose Southwest Airlines, but I suspect other emails are sent with other airline names (Delta, American Airlines, JetBlue, etc.)
- Chose a domain name at random... In this case it was brainstem.com
- Created an email address at random... In this case it was 'bykvjypw'.
From Addresses are easily forged and should never be trusted. I've had spam emails sent with my email address as the From email, and I certainly did not send it, nor did I approve it. Unfortunately, there's nothing you can do to stop this. You just have to accept that people will do this. Of course, if this email was from Southwest Airlines, the email address would have been 'firstname.lastname@example.org'. Southwest.com is the domain of Southwest Airlines. This is one sign that it is not valid.
Received: from 37-8.2-85.cust.bluewin.ch (37-8.2-85.cust.bluewin.ch [220.127.116.11])
This header tells us the domain name and IP address of who sent the email. By looking at the name and IP we discover that this was sent by 'bluewin.ch', which appears to be an ISP of some kind in Switzerland! So, I'm getting emails from Southwest Airlines by way of Switzerland? I don't think so. Looks like another zombie computer.
Your credit card has been charged for $986.14.
Scare tactics. They expect you to react to this as "Oh my God, someone charted nine hundred bucks on my credit card! I'd better check this out." You then open that evil file attachment and you are infected. This is a scam. Your credit card was not charged. They don't have your credit card.
print it on a color printed
Um, what the heck is a 'printed'? I assume they meant 'printer' here. This is yet another example of the bad grammar and/or typos that frequently appear in these scam emails.
File Attachment: E-ticket.zip
Look. It's another zip file attachment. This is a huge warning sign. Let's take a (careful) look at the contents of this zip file... Unzipping this zip file, I find a single file 'e-ticket.doc.exe' inside. This is yet another example of the double file extension trick. Due to the way Windows works, it will normally hide that '.exe' part of the filename. This makes the filename look like 'e-ticket.doc'. This makes you think it is that airline ticket they said it was. Of course it's not. It's actually a program that will infect your computer if you run it.
A good attempt. They got the grammar mostly right. I only found one blatant typo. This would likely trick most people. For a brief moment I thought it was real. Of course, once I studied it some more I realized it wasn't. It also helps to use a little common sense here. Did I recently spend $900 on a plane ticket? No. Clearly this is not valid. Could it be identify theft? Yes, but even if it was, you can log onto your credit card company's web site and validate if this $900 charge was made. And even if it WAS made, you just dispute the charges with the credit card company and you are not out a penny. None of your money is at risk.
Always remember that a little common sense and a healthy dose of skepticism will often save you from falling for these scams.