A variation of a phishing scam aimed at members of American Airlines’ AAdvantage program is circulating again. With links to a phishing Web site embedded in a spam message, the scampaign promises (in characteristically broken English) that all participants in a survey will receive, depending on the campaign, either $100, or “$50 & 25,000 miles” credited to their account.
The spam messages are appearing not only in email inboxes, but also as posts on what appear to be compromised blogs. The messages usually include the following text, signed by “American Airlines Reward Department,” obvious errors and all:
We are proud to inform you that today (current date) AmericanAirlines.com launch a new reward program. Please log in to your American Airlines account and take the 5 questions survey. For your effort you will be rewarded with …
It’s also amusing to note that the fraudsters have had to periodically raise the bar on what they’re offering. In the earliest iterations of this scheme, dating back to autumn 2008, they only offered $50…no miles included. Even in this tough economy, a fraudulent offer of merely $50 isn’t good enough to snare dupes anymore. Suckers Customers can be so demanding!
It was a particularly busy weekend for spammers, especially the creepy, evil ones who are trying to steal information (as opposed to the merely scungy pill vendors and their ilk). Webroot’s Threat Research team has recently seen a glut of phishing messages which, like most, purport to come from banks and ask you to update your account information. But unlike most phishing messages, which contain a link to a Web site, these phishing messages include an attached HTML file which, in essence, puts the phishing page right on your hard drive.
When launched, the HTML file renders a sparse but effective phishing form in the browser. The pages warn the victim that “This account has been temporarily suspended for security reasons” and ask the victim to “confirm that you are the rightful owner of this account” — by providing the “bank” with a wide range of personally identifiable information they should already have, and never would ask you to provide through a Web-based form in the circumstances described in the message.
These pages also pull graphics from the banks’ Web sites–activity that, when it comes from a phishing site hosted on a server not belonging to the targeted bank, typically alerts the banks to phishy behavior. Because the graphics are loaded only once, from the desktop of the targeted victim, the banks can’t put a stop to it before it’s too late.