You have 2 totally free flights – LAN Phishing

The following is a phishing examplewhich seeks to infect users with the download of a Trojan. The excuse to cheat them are two free flights that have allegedly been won with the LAN company.

At a glance the message looks very real, there are even links that point to the airline site but when trying to access the award information an .exe Trojan that pretends to be a Word document is downloaded.

In the following screenshots you can see the fake email and the Trojan downloaded after clicking:

It looks like an innocent Word document but it's actually an executable file, because it has a double extension Lan.docsx.exe that at first glance is not seen since by default the display of extensions is disabled in Windows. VirusTotal detects 10 of 46 antivirus engines.

You have to be very careful with the links and downloads received by e-mail, especially when they are unexpected or refer to succulent prizes.

But there are other details of this fake email that can trigger our alarms, one of them is the email that appears as the sender – without going into details of the message header – you can see that the address is noreply@sonico.com which is very rare considering that it is the LAN company that contacts us.

On the other hand, the link that downloads the Lan.docsx file points to a strange destination, in the message it seems that it was made from the LAN page but in fact it is made from a .com.mx domain (see red arrow in the previous screenshot ).

It is a site under the WordPress platform that is infected and is used by cyber criminals to host malware. On the vulnerable server, you can see the Trojan, an action.php file that is used to download, and a .txt file that works as a counter for the downloads made. At the time of writing this article, more than 6 thousand had been made.

This phishing example was just sent to me born, a reader and frequent contributor to the blog who knows how to detect these deceptions. But even he almost fell for it since he is subscribed to the airline newsletter, these were his words in the email he sent me:

Good afternoon, Alejandro.Look at this new phishing that they do in the name of LAN.In this one I almost fell, because I am subscribed to the newsletter.

As a client, at first it seemed real to you, precisely that is one of the keys to these phishing attacks are more effective by being more personalized. For spammers, it would be no problem to shop around the company's Twitter and Facebook accounts to collect personal information from the people who follow them and are therefore customers.

To give an example, I just entered the LAN Per fanpage that has more than 600 thousand followers, I looked for a user who was asking about travel destinations, I clicked on his name and without being his friend on Facebook I could see his mail, your mobile number, list of some relatives, workplace, things you like and of course, your full name.

Of course, this is not a LAN problem but rather the level of privacy that users set up on social networks … but it is an example of how easy it could be to customize a phihisng campaign to make it more credible.

We must be careful with the emails we receive, the common sense should never be lost.

Thanks born for the delivery.