Airline companies «landing» on fake pages

Top global airline companies have been compromised by fraudsters for the second time during the last six months.

Group-IB has tracked the second virus attack using brands of major international airline companies including: Lufthansa, Air Canada, Swiss International Air Lines, British Airways, Air France, and Austrian Airlines. According to Threat Intelligence, which is part of the Group-IB's early warning system, in September cybercriminals registered at least 86 fake websites using names of well-known brands. The previous viral campaign was launched by fraudsters in June at the height of the holiday season. They used it for ad traffic upsurge.

This time, criminals used the tried and tested "gift" scheme for promotion on Facebook: "Lufthansa is giving away 2 tickets!" These posts are actively shared by colleagues, friends and acquaintances – and under the influence of the freebie strategy and their friends, a person goes on a website with an airline company's logo. Fraudsters deliberately create addresses using names of famous brands in order to put people off their guard. This technique is called spoofing.

To get the free air tickets, a user is prompted to answer a few simple questions: "Have you ever traveled with our company?", "Do you really want to get 2 free tickets?", and "Confirm that you are an adult". After that, the message "Lufthansa is giving away 2 tickets!" and a photo of two boarding passes with the airline's logo are displayed. To get them, a user needs to like the webpage and share the post among their friends in their account. That is how you may unknowingly involve your friends in the fraudulent scheme.

Of course, there are no free air tickets. The best of the 'worst' case scenarios is that a user is redirected to an advertising page and fraudsters receive money for increased traffic. Now, this viral campaign has started in Europe – the first posts have been shared by Facebook users abroad. On September 26, Lufthansa notified users about the fake campaign on its official Facebook page and urged passengers to resist provocations and think about their security!

Lufthansa is not the only company that has faced such troubles. Specialists of the Group-IB CERT (Computer Emergency Response Team) revealed that at least 86 domains had been registered in the name of a certain Rachita M. since August 31 and that those domains used international airline companies' names: Air Canada, Swissair, British Airways, Air-France, Austrian Airlines, and others. Fraudsters made photos of the companies' official board passes for each fake campaign, and the questionnaire was prepared in the airlines' national languages.

A similar large-scale fake campaign was tracked this June. Specialists of Group-IB's Investigation Division found out that fraudsters used airlines' brands to increase traffic on the websites of clients of an American company providing website and mobile app promotion and monetization services. In some cases, users were asked to provide their personal information: name, email, phone, date of birth, and address, or were signed up for paid services.

This time, the ultimate goal of the campaign is unclear – users are not forwarded anywhere. Some of the detected phishing websites with questions do not open – it may be the case that fraudsters are just preparing for a large-scale campaign.

The danger here is that this scheme can be used by hackers for cyberattacks. Special people – traffers – redirect users from popular websites to malicious ones where money stealing Trojans are downloaded. Your computer may be connected to a botnet to conduct DDoS attacks or used to mine bitcoins.

It is not unusual for fraudsters to use a company's brand, logos and brand colors, or even completely copy its website. This may cause irreparable damage to the company's reputation. Our technologies are able to monitor millions of resources and expose fraudulent websites immediately after a domain has been registered.

Dmitry Rusakov

Head of Brand Protection, Group-IB.

Why is it dangerous for airline companies?

Users do not receive the promised gifts or find out that tickets are invalid, and start bombarding airline companies with complaints, or they spread disapproving comments on social networks. We recommend that companies use domain name monitoring systems in order to find fake websites and check search results and block fake websites and accounts in social networks.

How can passengers avoid becoming victims to fraudsters?

Observe the "digital hygiene rules". Do not click on suspicious URLs. Do not provide your personal data on dubious resources. Pay attention to the domain name and web interface of the resource. Do not be lazy to check how the official website looks. Install the latest operating system updates. Remember that anti-virus solutions do not provide a 100% guarantee of protection.