Brazil Airplane Tragedy Crimeware

Date:07.18.2007

Threat Type: Malicious Web site / Malicious Code

Websense® Security Labs™ has discovered a new email campaign that is using the recent, tragic plane crash in Brazil.

Users receive an email that attempts to lure users into connecting to a Web site containing information that roughly translates into the following:

"TAM reports that flight JJ3054 has taken off from Porto Alegre with 170 people onboard, between passengers and employees plus six more crew members (commanders and flight attendants)."

"As soon as their names are confirmed, we'll notify the families before any further information becomes public, as determined by existing law.
We remind you that TAM has started its Victims and Family Assistance Program and provided a collect number 0800-117900, designed to provide information to families and crew members from this flight."

"TAM has made public all information available so far.  Any relevant information will be provided immediately from TAM."
 
"Public Relations - TAM
Tel: (11) 5582-8167/8685/8153 "

The site is hosted in Korea, appears to have been compromised, and has hosted malicious code in the past from the Brazil region.

If users click on the link, they are prompted to run some code. The code, when launched, is a Trojan Downloader that connects to another site to download and install an information-stealing Trojan Horse.

 

Websense Security PG™ customers are protected from connecting to the site.

 

Email screenshot: