refund request? It might be an Agent Tesla malware attack

Graham Cluley
Graham Cluley
@[email protected]
@gcluley refund request? It might be an Agent Tesla malware attack

Always be wary of opening unsolicited attachments – they might harbour malware.

That’s a message that is being strongly underlined once again, following the discovery of a cybercrime campaign that is using the cover of travel service providers.

Security researchers at Forcepoint say that they have uncovered evidence that malicious hackers are sending out poisoned PDF files, designed to infect recipients’ PCs.

Malicious email

The emails claim that the sender’s credit card has been mistaken charged twice for a hotel reservation – and asked for the matter to be investigated.

However, if the .PDF attachment (which, in the above example, has a filename referencing travel website is opened, malware is downloaded that ultimately deploys the Agent Tesla remote access trojan.

As researchers Mayur Sewani and Prashant Kumar explain, the remote access trojan (RAT) allows remote hackers to log keypresses, steal passwords and other data, and run commands on the infected PC.

Sign up to our free newsletter.
Security news, advice, and tips.

Although the example given by Forcepoint uses the disguise of a booking reservation related to, it could just as easily pretend to be in connection with another travel service.

One danger is that a hotel receiving such an email might be tricked into opening the boobytrapped file, and give remote hackers an opportunity to break into the hotel’s reservation system – potentially opening opportunities for yet more fraud.

In October last year I described how fraudsters had hacked into hotels accounts in order to target guests.

And I should know – I was one of those guests who was targeted.

For more discussion of how hotels were having their accounts hacked, be sure to listen to this episode of the “Smashing Security’ podcast.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.