Login   |   Secure Purdue > News

Advisory: Malicious Email Alert - Fake Delta Email Leads to Trojan

STEAM-ADVISORY NO. 2014012201
PURDUE UNIVERSITY SECURITY STEAM-CIRT
Wednesday, January 22, 2014 15:00:00 EDT

==OVERVIEW==

A malicious email was sent to several university members that claimed
to be from Delta regarding the purchase of a ticket.

==SYSTEMS AFFECTED==

End users

==DETAILS==

A malicious email was received by several university members that
claimed to be a confirmation of a ticket purchase through Delta
Airlines. The sender address was spoofing a delta.com email address
and had fake order numbers in the subject and the URL. The URL was
described as a way to download and print your recently purchased
ticket. However, the URL would direct the user to download a .zip
file that contained trojan-like malware. The examples that ITSP
Security were provided ended up leading to two different variants of
malware. The malware was supplied to McAfee for their inspection and
the result was an extra.DAT file to be provided for the ePO server.

There is a possibility that other similar emails may provide different
variants of email that we have not seen yet. It is important to note
that users should ignore these emails, especially if they did not
purchase any airline tickets recently.

As usual, clicking on links in emails is not recommended. The
alternative is to copy and paste the link into the browser after doing
some investigation of the URL and content of the message for legitimacy.

==SOLUTIONS==

Ignore and delete the email. If the file was downloaded and the machine
contains or has access to sensitive or restricted data, please contact
abuse@purdue.edu; otherwise the machine will need to be re-imaged.
Users will
also need to change their password and challenge questions if they
used the machine after the malware would have been triggered.

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
itap-securityhelp@purdue.edu.

Report computer-related abuse to STEAM-CIRT:
purdue . edu /securePurdue/incidentReportForm.cfm
purdue . edu /securepurdue/steam
(copy and paste, then remove spaces)

Posted by ITSP Security on January 22, 2014, in Advisory Alerts.