Subject: Reservation Confirmation , Thu, 2 Aug 2012 09:47:18 +0800
From: "Booking.com" <firstname.lastname@example.org>
Date: Wed, August 1, 2012 5:47 pm
View Full Header | View Printable Version | Download this as a file | View Message details | Report as Spam
Hotel Confirmation: 7395329
Date: Thu, 2 Aug 2012 09:47:18 +0800
Herewith you receive the electronic reservation for your hotel. Please refer to attached file for full details.
Arrival: Saturday, August 04, 2012
Departure: Monday, August 06, 2012
Number of rooms: 1
Sincerely, Customer Service Team
Your Reference ID is: 3225161
The Booking.com reservation service is free of charge. We do not charge you any booking fees or administration fees, and in many cases rooms offer free cancellation.-Booking.com guarantees the best hotel rates in both cities and regional destinations - ranging from small family hotels to luxury hotels.
What are some of the telltale signs of a scam? This one is deceptively simple, but . . .
The email doesn't list a recipient, there's no "To"
- My name is not mentioned in the reservation
- No hotel is mentioned in the reservation, though there is a legitimate website called My Booking, but there is an extra 'dot' in the email address listed
- I have to open a file - a well known way to infect computers with whatever evil the spammer/hacker is sending
I'm sure there are other signs I'm missing*. But . . .
How many people will unthinkingly click on the attachment in attempt to clear up the confusion?
How many people have hotel reservations for August 4 who will open this?
If the world were a fair and equitable place, would there still be people who would need to disrupt other people's lives with stuff like this?
*There are lots of sites that offer advice on how to deal with email hoaxes and scams. I even found one that let's you paste the email into window and they'll check if it's a known scam. But you have to give them an email address. I passed on that.
Here are a couple sites. It's useful to check them now and then as a reminder, plus these things evolve and get more sophisticated.
Microsoft Office tips
Kansas State University - Email Threats
(Three years old, but still interesting) Wired - Identify a Phishing Scam
[UPDATE: August 7: MX Lab reported on July 31 that the linked zip file contained a trojan:
The attached ZIP file has the name Booking_Confirmation_073120123972991.zip and contains the 37 kB large file Booking_Confirmation_07312012.exe.Hmmm, I should have found that before I posted.]
The trojan is known as W32/Falab.J2.gen!Eldorado, Trojan-Spy.Agent, Downloader.Dromedan or TROJ_KRYPTIK.NC.
At the time of writing, only 9 of the 41 AV engines did detect the trojan at Virus Total.
Virus Total permalink and SHA256: 78cca5db33888091d98854835d6ca80b77568d5f106a9d7739e7a3efa02df659.