Debunking email hoaxes and exposing Internet scams since 2003!

Hoax-Slayer Logo Hoax-Slayer Logo

Home    About    New Articles    RSS Feed    eBook    Contact
Bookmark and Share

Qantas 'E-Ticket Itinerary Receipt' Malware Email

Email purporting to be from Australian based airline Qantas claims that recipients can view an 'E-Ticket Itinerary Receipt' by opening an attached file.

Qantas plane

© Rafael Ben-Ari

Brief Analysis
The email is not from Qantas.  The attached file contains malware.

Bookmark and Share

Subject: Qantas Departure Information - 405F9F YUV BIN 3UE


Thank you for choosing to fly with Qantas.

Attached to this e-mail you will find your E-Ticket Itinerary Receipt and the Terms and Conditions of Carriage. Each passenger travelling is required to carry a printed copy of the E-Ticket document for check-in, immigration, customs, airport security checks and duty free purchases at the airport.
We have also provided some information below to help you prepare for the first flight of your journey. Flight details for all flights in your itinerary are included in your E-Ticket Itinerary Receipt attached.


Detailed Analysis

This email, which claims to be from Australian airline Qantas, advises recipients that they can access an E-Ticket itinerary receipt and terms and conditions of travel by opening an attached file. The email includes the Qantas logo and other information and links about travelling on the airline.

However, the email is not from Qantas and the attachment does not contain flight information as claimed.  In fact, the attachment harbours malware. The attachment comes in the form of a .zip file. Unzipping this file will reveal what at first glance may appear to be an innocent PDF. However, the file is actually a malicious .exe file, not a .pdf.  In an attempt to fool potential victims, the file has a double extension (.pdf.exe). Clicking on this disguised .exe file will install the malware on the victim's computer.

The exact purpose of this malware may vary in different incarnations of the scam.  However, such malware will typically steal personal and financial information from the compromised computer and send it to the criminals operating the malware campaign. It may also download and install more malware and allow criminals to take control of the infected computer.

The goal of the criminals is to panic at least a few recipients into opening the attachment because they mistakenly believe that flights have been booked in their name without their permission or knowledge. People who have actually booked Qantas flights recently might also open the file without due care.

To make the message seem more legitimate, secondary links in the email open the genuine Qantas website.

The Qantas version is just one in a series of very similar malware emails that have targeted users in recent years. Criminals have used the names of several other airline and travel companies, including Jetstar, Delta Airlines, American Airlines and Expedia.

If your receive any unsolicited and unexpected email claiming to contain travel or flight booking information, do not open any attachments or click on any links that it contains.

Bookmark and Share

Last updated: July 25, 2013
First published: July 25, 2013
By Brett M. Christensen
About Hoax-Slayer

Jetstar 'Flight Itinerary' Malware Email
Delta Air Lines Passenger Itinerary Receipt Malware Emails
American Airlines Flight Ticket Order Malware Emails
Expedia Travel Itinerary Malware Email