US-CERT Warns About Airline Phishing Scams

What if there was a new phishing scam that had an open rate of 90%.  That’s right, this phishing email is so believable, 90 out of 100 recipients open the the attachment or click on the link without a second thought.

These attacks begin with the scammer researching the target victim.  These targets usually work at companies where there is a lot of air travel.  The emails are personalized, and designed to look like airline flight confirmations, or travel company invoices.  Subject lines include details such as airline, ticket price, and destination that would be believable to the recipient.

There are two versions of this exploit.

  • One uses malicious attachments that look like flight itineraries, invoices, or receipts. Opening the attachment will install a remote access Trojan or keylogger.  The keylogger collects more personal data, including user IDs and passwords to other websites and internal systems.
  • The other provides a link to a replica website login screen, and captures the victims’ user credentials.  Often there are additional web forms to capture more detailed information about the victim and their organization.
  • If they can gain access to a user’s computer, they can pivot to other computers and extend the exploit deeper into the organization.

Like other phishing scams, the best way to protect yourself is:

  • When confirming travel arrangements, use the vendor’s website.  Do not click on the offered link in the email.  Open your browser and go directly to the airline website by typing the address into the address bar, or use a bookmark or favorite you created earlier.
  • Never click on any link in an email without at least checking the destination by hovering over the link and reading what appears in the tool tip box.  If the web address looks unusual, just assume the email is a fake and delete it.
  • Never open an attachment without confirming with the sender,
  • Or forward the email with the attachment to  Change the subject line to SCAN, and wait for a response from VirusTotal.  The attachment will be scans, and if the attachment contains malware, you will be notified in the scanner results email.  This process takes less than 10 minutes.

Be aware, and pass this warning on to others in your company.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.