Phishing Attack Warns About Boeing 737 Max Crashes And Infects Computers

Airplane Crash Scam Warning.  – Lookout for emails in your inbox from “analysts” about the recent Boeing 737 Max airplane crashes, asking you to notify your loved ones about possible other airlines “that will go down soon”. These emails come with infected attachments that might make it through the filters.  Always be alert about emails with unknown attachments, and never open an attachment unless you are expecting it from the sender and have confirmed they have actually sent it.”

A new campaign is underway that uses the recent Boeing 737 Max crashes as a way to infect PCs with both remote access and info-stealing Trojans. This new campaign was discovered by 360 Threat Intelligence Center.

These emails pretend to be from a private intelligence analyst who found a leaked document on the dark web. This document pretends to contain information about other airline companies who will be affected by similar crashes soon, and in broken English.  The emails are coming from an email address at and have subject lines similar to “Fwd: Airlines plane crash Boeing 737 Max 8”. They also contain a JAR file as an attachment with names similar to MP4_142019.jar. 

Triton A Murderous Malware, and it is Spreading

Back in the Summer of 2017, hackers deployed malicious software, or malware in a petrochemical plant in Saudi Arabia, which allowed them take over the plant’s safety instrumented systems. These physical controllers and their associated software are the last line of defence against life-threatening disasters. They are supposed to kick in if they  dangerous conditions are detected, returning processes to safe levels or shutting them down altogether.

The malware made it possible to control the systems remotely. Had the intruders disabled or tampered with them, and then used other software to make equipment at the plant malfunction, the consequences could have been catastrophic. Fortunately, a flaw in the code gave the hackers away before they could do any harm. It triggered a response from a safety system, which brought the plant to a halt. Then in August, several more systems were tripped, causing another shutdown.

Mobile Phishing Campaign: Homograph Characters + "Free Flights"

Kacy Zurkus at the InfoSec group had the scoop on a campaign recently reported by Farsight Security involving an internationalized domain name (IDN) “homograph-based” phishing website that tricked mobile users into inputting their personal information.

The suspected phishing websites presented as commercial airline carriers – specifically Delta Airlines, easyJet and Ryanair – and offered free tickets, fooling users with the age-old bait-and-switch technique.

Users were asked to respond to a series of seemingly innocent questions and then share the free offer with 15 of their WhatsApp contacts before being directed to the URL where they could access the free tickets. After Farsight discovered the first suspected Delta phishing site, it immediately informed the company. According to Farsight researchers, the websites were optimized for mobile and failed to work smoothly on desktop, leaving mobile users as prime targets.

It’s not unusual for phishing scams to use spoofed sites and homograph domains to fool unsuspecting users with trusted brand names. “Users, especially on smaller mobile screens, may not be paying close attention to the URLs or domain names of sites to verify their legitimacy,” said Dirk Morris, chief product officer at Untangle.

Despite having been around for a while, these types of attacks remain largely successful. “Studies have shown that 95% of web-based attacks use social engineering to trick users,” said Atif Mushtaq, CEO at SlashNext.

“These types of contest phishing scams have become increasingly sophisticated, in large part because people are getting trained by their organizations to recognize fake emails, giveaway scams or imposter websites asking for credit card or login details.”

Being duped by sophisticated phishing scams is not uncommon, but there are common signs to look for in phishing scams. What users need to remember is that nothing is ever really free, explained Ajay Menendez, executive director, HUNT Program at SecureSet.

“Check the ‘from’ email address for any signs that it might not be legitimate, and look for numbers instead of letters or common misspellings or letters that are inverted or missing. Poor spelling and grammar can be giveaways in the body of the email,” Menendez said.

“Your bank and other legitimate accounts will never ask for your social security number in an email. If you receive an email asking for this information, call your bank (and any other company who may be requesting this) to confirm. Never provide email, account information or passwords via email.”

“Many phishing scams will look very legitimate, he said, “so even if the email looks like it comes from your cable company, be extra cautious. This is an instance where an ounce of prevention is worth a pound of cure.”