What happens when you receive a very polite email from an airline company which tells you that you have booked a ticket somewhere across the globe and your credit card has been charged with $690? This doesn't sound strange if you've really bought the ticket on your credit card. What happens when you know that you haven't?
This happened to my colleague recently. She received a mail from the phisher pretending to be the Midwest Airlines web service which thanked her for purchasing the ticket and informed her that her credit card account was charged with $690. Gosh! You should have seen the look on her face. I definitely can't describe it. It was a mixture of fear (the fear of losing $690, which is quite a large amount), confusion (the confusion of what should be done next) and curiosity (all said and done, she too is a techie, knows and is curious about this stuff). But it's kind of cool to study the behavior of people becoming victims (or in this case, potential victims) of phishing.
She gave me a shout across the desk and asked what she should do next. I informed her not to delete the mail (as I needed it as a real phishing example for posting on my blog, cruel thinking!) and inform the information security folks about this problem. And, I shouldn't have believed her on that. She deleted the mail and dreams of including snapshots of that mail and the attachments were destroyed. Anyways, you can find the pattern of the mail and the attachment in this article on CyberInsecure.com.
The best part of it was when I asked her to forward the mail to me. She looked at me as if I was planning to learn phishing by using that trojan as my tool. But, by the time I asked for it, the mail was long gone (the mail was a victim of the Shilt+Del disaster).
The attachent contains contains an exe file named E-ticket_[number].doc.exe which is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia. Now, that is something to take note of. Almost a year ago, this trojan ripped off more than 1.6 million customer records from Monster Worldwide Inc., the company that operates the popular Monster.com recruiting Web site.
Have you ever been phished?