NOTE: Iris Detect has supplanted PhishEye, with dramatically expanded capabilities. Please explore Detect for your brand protection, anti-fraud, and spoof infrastructure analysis needs.
The temperature is rising and we’re all getting a case of “summeritis”—leaving the office a little earlier to catch some rays, planning summer BBQs and beach days, and booking travel to get some much-needed R&R. But while you’re getting carried away at work daydreaming about lying by a pool on a remote island, hackers are not taking any PTO. It’s prime phishing season and vacation-goers should be on high alert for travel-related scams. To help protect summer travelers this year, we conducted research on the most popular airline and travel booking sites to uncover how frequently these brand names are involved in phishing attempts.
Attackers go where the money is, and travel is a natural magnet—a lot of money is involved, and a lot of the action takes place online. Hackers are betting that consumers will be distracted during the summer as they begin to finalize their travel plans, so they rev up campaigns to imitate important travel artifacts such as flight reminders, upgrade offers and promos, false cancellation or delay notices, and more. The domains we uncovered in this study are part of many such scams.
If you’ve been keeping up with our PhishEye reports over the past few months, you’re well-acquainted with the prolific work of bad actors aiming to nab unsuspecting victims. With the help of PhishEye, we were able to discover domains that mimic top airline and booking sites in the United States and across the pond in the United Kingdom. Along with identifying dodgy domain names, PhishEye also flagged certain of the domains as high risk, via DomainTools’ “proximity to known maliciousness” algorithm. Such domains are closely connected to other domains that have already been added to industry blocklists for malicious activity such as spam, malware, or phishing.
As with our other recent PhishEye reports, we began by determining which brands to research. Typically, our hypothesis is that the largest companies are likely to be the most lucrative for scammers seeking to spoof domain names, so we took the top airlines based on passenger bookings, and the top travel booking sites by number of site visitors. This gave us not only a good set of online properties to investigate, but also a sense of the potential pool of victims (the criminals’ “total addressable market”).
Here are some highlights of our findings:
US-Based Travel Sites
- American and United Airlines had the largest number of high-risk domain names associated with their brand names. Specifically, we found 17 high-risk spoofs of American Airlines, with 12 of those being found on domain blocklists for malicious activity.
- United Airlines took second place in number of spoofs, with 11 of the offending domains identified as high-risk.
- Of the travel and booking sites analyzed, Expedia and TripAdvisor are the most frequently spoofed, with both terms exhibiting over 30 associated imitative domain names.
- Both Expedia and TripAdvisor had over 20 malicious domain names with risk scores of 100 associated with the brands.
- With both the airline and travel booking companies, common domain spoofing techniques were used. For instance, we often noticed typos and duplicate letters: tripadvisorrentalss[.]com, unitredairlines[.]com or wwwamericanairlines[.]it.
Europe-Based Travel Sites
- Turning our attention to the European travel market, we found that hackers were targeting potential holidaymakers with just as much zeal as in the US. However, the popularity of spoofed travel and booking sites did not make its way across the Atlantic. In terms of methodology, we picked European companies again based on the highest amount of monthly visitors.
- Interestingly, the two companies with the most spoofed domains were both independent airlines. By far the most targeted European airline was Lufthansa, which garnered 81 associated domains with a DomainTools risk score of above 70. Of these 81, over half (46) had been given a risk score of 100, meaning they have been placed on industry lists of known-malicious domains.
- From the UK, budget air travel giant EasyJet is the most regularly spoofed, with 43 domains with a score above 70, and 30 at 100.
- Like the US findings, many of these domains exhibited the classic hallmarks of a phishing campaign. One of the domains associated with Lufthansa, for example, used a 1 for the leading “L”: 1ufthansa.
- There are also telltale signs of phishing campaigns based around fraudulent competitions or compensation claims, such as Ryanair-freepass[.]us and easyjet-claims[.]us. These kinds of campaigns will be delivered to potential victims by email or SMS, hoping they will enter personal or financial details that can then be used directly by the phishers or sold on underground markets.
Staying Safe
The usual rules apply: keep your guard up, even as you look forward to relaxing. You’ll enjoy that holiday a lot more when you know that you didn’t get taken by a scam. Be aware that we are all potentially susceptible to phishing. Unless you are absolutely immune to distraction, temptation, or fatigue (which most likely would mean you were a cyborg), you should practice a healthy paranoia. Here are some specifics:
- Go Direct: When booking summer travel, consider booking directly through the airline instead of a third-party site as a safer alternative.
- Enroll in “summer school”: Stay educated and up-to-date on the latest scams that circulate through the web. For example: avoid high-pressure tactics: “Book now” or “Only three rooms left” or “Sale ends tonight.”
- Stay alert: Don’t let summer distract you from keeping an eye out for sketchy domains—sign up for alerts from the company you booked through, so you’ll know when it’s legit.
- Go on “Do Not Disturb”: Flag phishy emails and send those straight to your spam folder.
- Think before you click: Hover your mouse over any suspicious domain names or links to find out if they’re who they say they are.
