abstract image
Blog Farsight TXT Record

Free Airline Tickets: The Latest Internationalized Domain Name-based Homograph Scam

08/13/2018
Share this entry
DomainTools Favicon
Farsight Security

Introduction

As part of our continuous monitoring of the Internationalized Domain Name (IDN) space, Farsight recently found evidence of what appears to be an ongoing IDN homograph-based phishing campaign targeting mobile users. The suspected phishing websites purport to be those of commercial airline carriers offering free tickets, but, instead, appear to subject the user to a bait-and-switch scam.

Note: As Farsight has done in the past, all attempts were made to contact each affected organization in advance of this publication.

“Free Tickets”?

The suspected phishing websites present the user with the promise of free airline tickets if they answer four innocuous questions (the responses don’t seem to matter). Once the user answers the questions, he is instructed to share the “offer” with 15 WhatsApp contacts before being redirected to another URL where presumably the user is prompted to enter credit card details².

As observed, the domain names for the suspected phishing sites are IDN homographs (lookalikes of well known sites that switch out certain Basic Latin characters for homoglyph characters from similar scripts). They presented as being sourced from the following three airline carriers (the hyperlinks below are to the official websites for each):

Those familiar with current and recent phishing campaigns will recognize that this campaign appears to be a fork of the recent “Free Adidas” phishing campaign. This particular campaign just underscores how easily a brand on the Internet can be used fraudulently and one campaign can be repurposed to attack a different and unrelated sector⁴.

The websites are optimized for mobile and render a bit clumsily on desktop as shown below:

Figure 1: Screenshot of a suspected Delta phishing website delta phish screencap

Figure 2: Screenshot of a suspected EasyJet phishing website easyjet phish screencap

Figure 3: Screenshot of a suspected RyanAir phishing website ryanair phish screencap

In an effort to make the pages seem more legitimate and familiar, they all include a Facebook-like section where it is made to appear as though a number of users have liked or loved the “post” along with a handful of positive comments as shown below¹:

Figure 4: Screenshot of the “Facebook-like” social content for the EasyJet website easyjet social screencap

Figure 5: Screenshot of the “Facebook-like” social content for the RyanAir website ryanair social screencap

Finally note that RyanAir site presented a DV SSL certificate³.

Appendix A: Suspected IDN Phishing Sites

The following section lists each of the Fully Qualified Internationalized Domain Names (FQIDNs) observed by Farsight that served a suspected phishing site. Please note this list is not guaranteed to be exhaustive.

Punycode Encoded FQDNs      Unicode Encoded FQDNs

www.xn--deta-1kb.com.    -> www.deǀta.com.        (Latin `l` is replaced with a "Latin Letter Dental Click" (U+01c0))

www.xn--easyje-n17b.com. -> www.easyjeṭ.com.	  (Latin `t` is replaced with a Latin Small Letter T with Dot Below" (U+1E6d))
www.xn--easyjt-m4a.com.  -> www.easyjėt.com.      (Latin `e` is replaced with a Latin Small Letter E with Dot Above" (U+0117))

www.xn--ryanai-1x7b.com. -> www.ryanaiṛ.com.      (Latin `r` is replaced with a Latin Small Letter R with Dot Below" (U+1e5b))

Footnotes

¹ Farsight discovered the suspected Delta phishing site first and informed them immediately. Perhaps due to this, the site was taken down shortly thereafter and we were unable to get a screen capture of the social component.

² Apart from the initial observation, light reconnaissance, and reporting, Farsight did not perform extensive study of these suspected phishing sites.

³ The certificate for https://www.xn--easyje-n17b.com was self-signed and had expired in May 2018.

⁴ Farsight Security recently wrote a report on the prevalence and distribution of IDN homographs, available here.

Mike Schiffman runs in O(n!) for Farsight Security, Inc.

Related Content

DomainTools Investigations Domain Intelligence Report
Blog

The Domains Start Coming and They Don’t Stop Coming

Read more
Verizon DBIR 2025 DomainTools Reflections
Blog

DomainTools Reflections on the 2025 Verizon DBIR

Read more
Abstract digital network with glowing blue and orange points connected by lines, resembling DNSDB Plus Sign Wildcard queries, forming two dynamic, wavy mesh layers on a black background.
Blog

DNSDB Standard Search's New "Plus Sign" Wildcard: It Matches Exactly One Label

Read more
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2025 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap