US Airways online check-in

The hits kept rolling in today. We observed another new spam template. This new template spoofed communications from US Airways.

The spam sample we observed had a subject line of “US Airways online check-in”. Other subject lines in circulation were:

  • Please confirm your US Airways online registration
  • US Airways online check-in confirmation

The sample we observed had the following malicious link:


Note that these new templates still leveraged the same random 8-character pattern in the URI path seen in other Cutwail generated spam pushing Gameover Zeus. This pattern remains a good indicator for detecting these spam campaigns.

The malicious link,, contained the following javascript redirectors:

<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;
<script type=”text/javascript” src=””></script&gt;

The malicious javascripts redirected victims to a Blackhole Exploit kit

This Blackhole Exploit Kit dropped a Gameover Zeus payload with the following properties:

File: contacts.exe
Size: 284184
MD5: 4617153B1E91F364FB3E7B7C4A64E1B3

Note that the filename of contacts.exe is randomly selected from a pool of filenames. Blackhole Exploit Kits drop files with the following names: about.exe, contacts.exe, calc.exe, readme.exe, info.exe, etc.

This Gameover Zeus payload had a botid of ‘ppcz20’ sent stolen data to a dropzone at over port 17615.

Note that this botid was also seen in the previous posts “Careerbuilder spam delivers more than just a new job posting” and “USPS themed spam“.



  1. Posted June 27, 2012 at 12:01 am | Permalink | Reply

    This is a schedule check.

  2. andrew czirjak
    Posted August 3, 2012 at 6:22 pm | Permalink | Reply

    if you didn’t buy it than it is to good to be true

  3. Posted November 11, 2012 at 1:32 am | Permalink | Reply

    Hi I am so happy I found your weblog, I really found
    you by accident, while I was looking on Askjeeve
    for something else, Regardless I am here now and would just like
    to say thanks for a tremendous post and a all round entertaining blog (I also
    love the theme/design), I don’t have time to go through it all at the moment but I have
    book-marked it and also included your RSS feeds, so when
    I have time I will be back to read a lot more, Please do keep up the fantastic work.

  4. Posted December 29, 2012 at 5:30 pm | Permalink | Reply

    It’s a shame you don’t have a donate button! I’d without a doubt donate to this superb blog! I suppose for now i’ll settle for book-marking
    and adding your RSS feed to my Google account.
    I look forward to new updates and will share this site with my Facebook group.

    Talk soon!

  5. Posted January 9, 2013 at 8:09 pm | Permalink | Reply

    I believe everything posted was actually very logical.
    But, what about this? suppose you added a
    little information? I am not suggesting your content isn’t solid, but what if you added something that makes people desire more? I mean US Airways online check-in | spamalysis is kinda boring. You ought to peek at Yahoo’s front page
    and watch how they create article titles to grab viewers to open the links.
    You might add a video or a pic or two to grab readers interested about what you’ve written. Just my opinion, it would bring your posts a little bit more interesting.

  6. Posted January 17, 2013 at 2:28 am | Permalink | Reply

    “US Airways online check-in spamalysis” definitely got me addicted with your webpage!

    I reallywill certainly wind up being back a whole lot more frequently.
    Thank you -Callie

  7. Posted January 23, 2013 at 1:58 pm | Permalink | Reply

    I found this amazing article , “US Airways online check-in spamalysis”, extremely entertaining and the post was a superb read.
    I appreciate it-Helena

  8. Posted April 3, 2013 at 6:21 am | Permalink | Reply

    Wow, this paragraph is fastidious, my younger sister is analyzing
    these kinds of things, thus I am going to let know

One Trackback

  1. […] destination) vary, and there's no arrival city (which is perfect if you think about it).  This site says the links lead to malware.  Here's what they look […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: