Beware of 'wrong transaction' hotel spam

Spam messages about mischarged hotel expenses lead to fake antivirus

If you get an e-mail message telling you a hotel has erroneously charged your credit card account, be careful. The odds are that it's part of a new spam campaign that could infect your computer.

The messages started popping up in recent days and there are already hundreds of variants on the same theme: A hotel wrongly charged a credit card number and the victim is supposed to fill out an attached form to process the refund.

"Please see the attached form. You need to fill it out and contact your bank for return of funds," read one such message, titled "Hotel Breakers Palm Beach made wrong transaction."

The 'refund' form is actually a malicious Trojan horse program that installs fake antivirus software on the victim's computer, according to Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, who blogged about the spam messages Wednesday.

His group, which maintains a massive real-time database of spam messages, has received more than 800 copies of the spam. That's not a lot of messages, but the campaign is still new.

The messages seem to be coming from the same botnet of infected computers that recently sent out similar messages warning victims that their credit card payments were overdue. Those messages led to the fake antivirus downloads too, Warner wrote in his blog post.

It's standard operating procedure for spammers to alter their messages now and then to trick new victims.

But any unsolicited message that includes an attachment should always be treated as suspicious.

Fake antivirus software is a major annoyance. It points out bogus security problems on a victim's computer and keeps pestering them until they pay out money -- usually between US$40 and $120 -- to buy the fraudulent antivirus product.

Consumers who aren't sure whether these messages are legitimate should use Google to find the company's website and then call them, security experts advise.

And while many antivirus products will detect the malicious attachments used in this latest spam, the criminals change their malicious software so frequently that it's hard for the security companies to keep up. As of late Wednesday, only 19 out of 43 antivirus products used by the VirusTotal website detected this latest Trojan program.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags University of Alabama at Birminghamsecuritymalware

More about GoogleIDGPalm

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place