Barracuda Labs researchers recently came across impressively convincing fake ticket confirmation e-mails from American Airlines, which link to a subdomain of www.aa.com.reservation.
"The intent of the URL is to draw your eye towards the part that says www.aa.com, even though that domain has nothing to do with the link," note Barracuda's Luis Chapetti and Dave Michmerhuizen. "The actual attacks are delivered from a long subdomain that starts with www.aaa.com.reservation….., which also attempts to disguise that they come from a malicious domain registered only days earlier."
The body of the e-mail reads, "Thank you for making your travel arrangements on AA.com! Your requested itinerary is now ON HOLD. Details below. To ensure that your reservation is not canceled you must complete the purchase of this reservation by clicking the 'Purchase' button on this email, or by using the 'View/Change Reservations' section on www.aa.com."
All links in the e-mail actually lead to sites hosting the Blackhole exploit kit, which looks for ways to exploit the victim's browser.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
To stay safe, Chapetti and Michmerhuizen advise, don't click on links in unsolicited e-mails, no matter how convincing they may seem -- always visit the relevant Web site directly, rather than clicking on a link in an e-mail.