Debunking hoaxes and exposing scams since 2003!

Jump To: Example    Detailed Analysis   Comments   References

Malware Email Claims Cancelled Qantas Flight Fare Held in Credit

Jump To: Example    Detailed Analysis   Comments   References


Email purporting to be from Australian airline Qantas claims that your flights have been cancelled as requested and the ticket value has been held in credit for future fares. The email claims that details can be viewed in an attached file.

Qantas Flight
© Ben-Ari

Brief Analysis

The email is not from Qantas and the attachment does not contain information about cancelled flights. In fact, the email contains malware that, once installed, may steal sensitive personal information, download more malware, and allow criminals to take control of the infected computer.



Bookmark and Share

related Links

Related Links

Identity theft is one of the fastest growing crimes in the world. Learn how to stay safe online with Hoax-Slayer's comprehensive eBook:


Qantas Flights Held in Credit IAWLFR [Email Ref: 170215-000310

We are writing to let you know that your flights have been cancelled as requested, and the fare value of your ticket has been placed in a stored credit for you.

Here are the details of your stored credit:

This stored credit may be used towards payment of a new ticket of equal or higher fare value provided this meets the conditions of the new fare. The new fare might be higher than the original fare, depending on the fares available. If changed for a higher fare, the difference between the original fare and the new fare and applicable taxes must be paid in addition to any change fee. Taxes are also subject to change any difference will be charged to your Card upon your new booking.

Thank you for your Card Membership.

Yours sincerely, (Attachment name: Qantas

Detailed Analysis

'Qantas' Email Claims Flights Have Been Cancelled

According to this email, which claims to be from Australian airline Qantas, your flight tickets have been cancelled as per your request. The message explains that the fee for the tickets has been placed in a stored credit and may be used towards payments of later tickets.

The email suggests that you can read further details about the stored credit by opening an attached file.

Email is Not From Qantas - Attachment Contains Malware

However, the email is not from Qantas and the attachment does not contain information about flight credits. Instead, the attachment contains malware.

If you open the attached .zip file, you will find a malicious .exe file inside. Both the .zip and the .exe files have a double extension that includes '.pdf'. This is a ruse to trick recipients into thinking that the attachment is a harmless .PDF. If file extensions are hidden - as they are by default on Windows based computers - the illusion that the files are innocent .pdfs will be even stronger.

Clicking the .exe file will install the malware. Once installed, the malware may record sensitive information such as passwords and usernames and send it to criminals. It may also download further malware and allow the criminals to take control of the computer from afar.

The scammers hope that at least a few people will be panicked into opening the attachment without due caution. Some who really do have flights booked may open the attachment in the mistaken belief that their flights have been cancelled in error. Others, believing that their credit card has been compromised and used to purchase flight tickets, may also go ahead and open the attachment.

If you receive one of these messages, do not click any links or open any attachments that it contains.


Last updated: February 24, 2015
First published: February 24, 2015
By Brett M. Christensen
About Hoax-Slayer

Email Messages Distributing Malicious Software on February 19, 2015

More stories!

'Internet Capacity Warning' Phishing Scam
According to this email, which claims to be from the 'Support Department' at 'Information Technology Services', your internet capacity is 70% full and you therefore need to contact support to avoid problems.
Published: July 6, 2015

Kroger 'Free Coupons' Survey Scam
Message being distributed across Facebook claims that users can receive free coupons from American retailer Kroger just by sharing a message and visiting a third party website to claim their prize.
Published: June 16, 2015

Pointless Facebook Warning - Hackers Posting Insulting Messages or Sexual Content In Your Name
'Hacker' alert messages circulating on Facebook claim that, without your knowledge, hackers are posting insulting or sexual messages that appear to come from you onto your Facebook Timeline.
Published: June 3, 2015