Email Phishing Scam: Online Air Canada Ticket Purchase

      No Comments on Email Phishing Scam: Online Air Canada Ticket Purchase

She phoned me in a tizzy: Someone had used her credit card to purchase an Air Canada ticket for $375CAD, and the flight was leaving in a couple of days. What to do? Firstly, is to calm down and not have a cow. To be safe, check your credit cards. The next step is to scrutinize the email to see if there are some illegitimate pieces of info in it. Is this really a risk or just a spam/phishing scam?

Here is her email:


From: Air Canada [mailto:tickets@aircanada.com]
Sent: February-17-14 9:05 AM
To: XXX XX
Subject: Your Order # FF6F57 - PROCESSED
Importance: High

Dear Customer,

Your order has been processed and your credit card has been successfully charged.

ELECTRONIC TICKET# 801922031
DELIVERY EMAIL : XXX@XXX.ca
FLIGHT # QB801922031CA
DATE & TIME / FEB 19th, 2014, 11:30
DEPARTING / Toronto
TOTAL PRICE / 375.00 CAD

Please download and print your ticket from the following URL : https://www.aircanada.com/travelInformation/viewOrderInfo.do?ticket_number=801922031&acton=download&fid=QB801922031CA

For more information regarding your order, contact us by visiting : http://www.aircanada.com/en/customercare/index.html

Thank you for choosing Air Canada

The logical steps she took were to contact all her credit cards, and ask about the ticket purchase. All her credit card companies said they did not see such a purchase on her cards. The next thing we did was to call Air Canada, and, upon hearing that there would be a 36 to 45 minute wait for a CSR, I hung up. So much for your help Air Canada.

It was time to get sleuthy. Using Gmail I was able to see the header and more detailed info of the email.

Please download and print your ticket from the following URL : https://www.=
aircanada.com/travelInformation/viewOrderInfo.do?ticket_number=3D801922031&=
acton=3Ddownload&fid=3DQB801922031CA

Did you notice the URL “<http://mediarama.ma/order_801922031.doc>”? Is not that odd? I googled “mediarama.ma” and got some hits about phishing originating from Morroco at IP address 92.61.146.80. The exact phrase “order_801922031.doc” showed up on URLquery. Not only was this odd, but the email address used was an old one, one that had not been used for many years. Very odd.

More specifically in HTML:

Please download and print your ticket from the following URL : <a href=3D"h=ttp://mediarama.ma/order_801922031.doc">
https://www.aircanada.com/travelInformation/viewOrderInfo.do?ticket_number==3D801922031&acton=3Ddownload&fid=3DQB801922031CA</a>

Conclusion: This email was sent randomly throughout the internet using a spam bot in the hopes that the recipient would click on the “download and print your ticket” link, which might deliver to the recipient a virus. We did not click this link.

Why Did the Scam Work?
-Recipients in general do not scrutinize their email headers, nor the URL links in their emails. This is beyond the understanding of most people, but maybe they should learn
-Air Canada, the company used in the scam, is large, and well known. Calls to their customer service centre usually require a long wait and most people will not wait for 30-45 minutes.
-The email seems credible enough, with no obvious English spelling mistakes

We can laugh now, once we figured out it was bogus, but she was quite frantic at the thought that someone else was illegally using her credit card. As well, it showed us that Air Canada’s call centre was pretty useless.

No related posts.

Leave a Reply

Your email address will not be published. Required fields are marked *