Fake Deutsche Bahn Ticket Reservation Infects Germans with Malware

A recent wave of malware-laden spam e-mails infects recipients with the Gamarue Trojan. The malware is delivered as an attachment disguised as an on-line train ticket reservation at Deutsche Bahn, the German passenger transportation and logistics company.

The dangerous messages inform receivers of a successful on-line ticket reservation at Deutsche Bahn (German Railways) and politely ask them to print the attached ticket on paper and present it to the ticket collector along with their ID card.

Printing the attachment implies accessing the dangerous attached zip file with the title “Ihren Fahrkartenkauf” (ticket purchase) plus a random number.

When users open the attachment, they are automatically infected with Trojan.Gamarue.AV – a threat that downloads further malware on their systems, collects sensitive data such as OS information, local IP address, and level of privilege to send it to a command and control center. The Trojan remains in contact with the remote attacker and silently executes orders such as downloading additional files and components, or uninstalling and updating itself.

For more credibility, fraudsters added in the e-mail body a few legitimate links back to the official Deutsche Bahn website.

Fraudsters abused the reputation of Deutsche Bahn because the company deals annually with billions of passengers and clients and operates in 130 countries across the globe, giving crooks a considerable pool of possible victims.

Gamarue is fraudsters’ Trojan of choice for quite a few spam campaigns targeting people all over the world, including Spain, the US, Australia, Romania, the UK or Croatia with bogus FedEx Shipment notifications or fake Vodafone MMSs unwanted messages. Cyber-criminals recycle most of these campaigns, every other month. Sometimes they change the phone numbers and dates in the message.

A reliable antivirus and updated software makes all the difference in such cases in shielding users from all kinds of online attacks.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the spam samples provided courtesy of Adrian MIRON, Bitdefender Spam Researcher.