Ghost flights

Top global airline companies have been compromised through fake links distributed by "friends" on Facebook

Group-IB specialists have tracked a large-scale fraudulent attack using brands of top-tier international companies including: Emirates, Lufthansa, El Al Israel Airlines, SPAR, Virgin America, Delta Air Lines, Air France, and Aeroflot. According to Threat Intelligence, which is part of the Group-IB's early warning system, cybercriminals registered 95 fake websites using names of 19 well-known brands to drive traffic. Airlines were the first to be attacked, which is not accidental: in May-June the summer vacation season starts. Group-IB has notified customers of threats and quickly blocked infringing resources.
How does this fraud scheme work?

1. "#Emirates is giving away 2 tickets" — this post about a gift of unprecedented generosity has become extremely popular on Facebook in the last few days. Fraudsters, like marketing managers, often leverage an effective freebie strategy (gifts, prize drawings and "special promotions", as well as free movies) to attract public attention. The attack success is guaranteed in the event the user's friends on social networks actively participate in the link distribution..

2. When users click on the Facebook link coming from friends, they will be forwarded to an emirates-free-2-ticket-com-abracadabra-dot-com website, on which visible appearance alone should already be alarming to you. That said, to avoid suspicion, criminals use "spoofing", creating addresses disguised as well-known brands.
Fake Virgin America web-site that offers 2 free tickets
3. When visiting fake websites, the user is prompted to answer a few simple questions: "Do you really want to get 2 free tickets from Emirates?" and "Confirm that you are an adult". This technique is called "gypsy hypnosis" – positive responses to simple questions help to establish trust.

4. The user is then asked to provide his personal information: name, email, phone, date of birth, and address.

5. Following this, you will receive a message saying "Congratulations! You won two tickets!" To get them, you need to like the page and share the post. That is how you may unknowingly involve your friends in the fraudulent scheme.

Aeroflot warned: participation in the lottery can lead to the theft of your personal data, funds, hacking and spamming. To protect yourself, trust only official sources - information on our website www.aeroflot.ru and the real Aeroflot communities in social networks.
Why is this threat dangerous?
This is a scam. According to Group-IB investigation department this scheme is used for fraudulent marketing purposes, namely to provide traffic to a US company that provides online promo and monetization of the web- and mobile applications services. The best of the 'worst' case scenarios is that your information will be sold to advertising agencies for spamming.

According to Group-IB Threat intelligence, attackers registered websites for the first time in late March. The threat actors are located outside Russia, which is confirmed by the following evidence: Facebook is used for promotion, 98% of victims are foreign brands, websites are registered by foreign citizens, and the registrar is in the USA.

Attack, in the first place, is aimed at foreign Facebook users
Official warnings
Aeroflot has already notified users, saying that the company has nothing to do with the fake contest: "Be careful and do not participate in dubious promotions posted on third-party resources acting as our company."

The risk is that this scheme, if technically modified, can be used by hackers to attack your devices, for example, by redirecting the user to a malicious program. Group-IB specialists believe that the user may face one of the following scenarios:

- In the event you use a mobile online bank, your device may be infected to steal money; Even if you do not use your phone as an e-wallet, you can also be signed up for paid services – when you enter your phone number and (without looking) accept the proposed terms of service.

- In the event your computer is part of a corporate network, then it can be leveraged to infect the entire network of the organization;

- Your computer may be connected to a botnet to conduct automatic DDoS attacks;

- Your computer may be used to mine bitcoins, store prohibited materials (such as illegal pornography), to conceal traces of crimes (for example, as a proxy server); It is not necessarily that the same individuals will be engaged in these new crimes - access to your computer may be sold for $1-2 dollars on the deep web;

- Your device will be scanned for compliance with certain characteristics (for example, 1C files, databases, etc.) and sooner or later your sensitive information will be stolen;

- In the event your phone is infected, in addition to the above-mentioned threats, your correspondence in messengers, as well as all photos and notes may also be stolen;

- If your naughty pictures are stored on the device, you may be blackmailed or demanded to pay a ransom;

- If you are a person of importance (which can be understood almost automatically), access to your device will be sold on the underground market to quite different 'specialists'. This will be the beginning of your real problems (espionage, wiretapping, competitive intelligence, competitive battles, leaks in media, etc.), and you will learn about it post-factum.
Among the victims of the attack, not only airlines, but also luxury brands
How to avoid becoming a victim
  • Do not click on suspicious URLs in emails, even when coming from your friends. Do not trust anyone.
  • Do not be lazy to check how the official website looks. Pay attention to the domain name and web interface of the resource. For example, the official website of Aeroflot is www.aeroflot.ru.
  • Avoid resources that request your personal data.
  • Install the latest operating system updates.
And the most important: If you have something to lose, you should change your approach to cybersecurity. Start with yourself: stay up-to-date on security trends by following us on Twitter and LinkedIn. If cybersecurity is part of your job, we recommend that you conduct trainings for employees, perform security assessments of your systems, communicate with security professionals, and use special equipment to combat targeted attacks. But most importantly – change your attitude, because the threat is real. Your unthoughtful behavior is a quick-selling product on the black market, and the volume of this market today is estimated at billions of dollars.

* Group-IB is in touch with the local Police on this incident.