Updated – Incorrect hotel charges – install malware for refund

Following the UPS and “map of love” outbreaks of the last few weeks, today saw further large amounts of email-attached malware. Today’s emails taunt recipients with claims of incorrect hotel charges that can only be remedied by opening an attached file. Some recipients will no doubt want to correct the incorrect charges (other recipients will want to correct the English). 

The zipped attachments are executable files (BookingRefund.exe) that display an icon of a PDF file.

Samples of the email text:

Dear Guest!

On July 26th, 2011 Hotel made wrong transaction writing-down from your account for an overall amount of $1390. This partner hotel was divested accreditation in Booking Company with reference of noncompliance of the service contract. Please see the attached form. You need to fill it in and contact your bank for the return of funds. In the attachment you will find expense sheet with the sum of wrong transaction decommissioning. Company just mediates and bears no responsibility for any money transactions made by Hotel.

Thank you for understanding. We trust you can solve this unpleasant problem.

Manager: Eolande Ardens

Dear customer!

On July 26th, 2011 Hotel made wrong transaction error of transaction from your credit card for an overall amount of $1280. This partner hotel was divested accreditation in Booking Company with reference of noncompliance of the service contract. For the return of funds please contact your bank and fill information in the attached form. In the attachment you will find expense sheet with the sum of wrong transaction debiting. As Company is not responsible for money transactions and acts as intermediary you can seize the court directly to return the funds from the Hotel.

Thank you for understanding. We trust you can solve this unpleasant problem.

Manager: Jodi Tally

Update: – to get a feel for the scale of this attack have a look at the graph below from one of our real-time traffic monitors. The top blue line is all spam. The orange line represents malware attached emails. As shown, at around 12pm (pacific time) the “hotel” series represents nearly 80% of malicious email sent (10′s of millions of emails).