Westminster Hotel Reservation Bookings Spam Campaigns Lead to Stealth Malware

Email spam is alive and well as evidenced by two travel reservation spam campaigns running that infringe on the namesake of Westminster Hotels. Social engineering tricks rely on naïve or unsuspecting PC users who click too fast on infectious links and attachments and invite inside computer infections onto their vulnerable systems. Thanks to graphical editing programs like Photoshop, these days it is easy for malware makers or spammers to spoof branding of legitimate vendors or businesses.

There are a multitude of travel reservation spam campaigns on the web in wait of new victims to fool. The Westminster booking scam follows the same blueprint:

• The email comes under the cover of a respected travel agency or direct from Westminster Hotels.
• The subject matter refers to an attachment, the decoy document that may be a zipped file but yet a Trojan awaiting execution, i.e. a click.

Here is the body of one of the spam communications:

Kindly open to see export license and payment invoice attached, meanwhile we sent the balance yesterday. Please confirm if it has settled in your account or you can call if there is any problem.

Sometimes the language mimics standard or acceptable verbiage, and thus relies on familiarity and trust by the victim. Other times it is creatively written to capitalize on human behavior or emotions, i.e. social engineering. Note that the communication mentions 'money or balance' being sent. The malware creator is hoping to peak the victim's curiosity and desire for 'free money' being deposited into their account.

The thing about decoys is to the naked eye the victim sees what was promised, information about a reservation of some sort. However, it is what they are not seeing that is the problem. The attachment is really the mask of Trojan-PSW-Win32.Tepfer, a Windows-based infection designed to steal passwords, amongst other mayhem. When clicked or executed, Trojan-PSW-Win32.Tepfer quietly or seamlessly downloads and installs and connects to a planned control and command server, which means it will intercept instructions or download of more malicious files. Trojan-PSW-Win32.Tepfer will also aid in turning the infected system into a bot.

Trojans may be quiet but they can too be deadly, meaning they can wreck havoc and put the victim's data and financial future at risk. How? Trojans can run a script to gather vital data stored in the browser cache. Remember, when your browser asked if you wanted to store your password or login information so that it will populate into frequently used forms on its own? So now when you access frequently visited websites (or URLs of record), note that the login screen will already be populated and all you have to do is hit enter. Well, this same data and credentials will be copied by the Trojan and sent to a remote server. The Trojan will also harvest email addresses and too gather system data that could aid in planning of future attacks.

The best way to counter email spam is to 'not open' it in the first place. In fact, you should delete spam altogether, especially unsolicited communications. You have not planned any travels so why would you open the communication? Furthermore, never provide personal data. Some email spam are phishing campaigns hoping to collect enough personal information that could aid in hacking into your account or another connected to you in some way, i.e. family, friend, co-worker, company network, etc.

Most importantly, you need fortify your security by installing a stealth antimalware solution. Make sure the solution you settle on does the following:

• Uses a mix of scanning techniques
• Offers 24/7 protection in real time
• Offers a custom fix
• Updates definitions around the clock
• Offers online support for real people

If you or someone using your computer fell victim to email spam, you really need do a complete scan to cleanse your system, just in case malware is on board and hiding in the root.