Airline Booking Confirmation Phish

Recently I came across an airline booking confirmation phishing email.  Whilst this is not necessarily a new phishing technique, the email and associated phishing website are quite interesting and at first glance could appear to be legitimate.  In the email, it states confirmation of payment made by credit card, and that the recipient should click an embedded link in order to print their tickets and flight information.

The email itself is in plain text and looks nothing out of the ordinary.  However, upon further investigation I noticed that the sending domain, which is spoofed, is not actually one associated with the airline.  It looks similar but the actual sending domain that is spoofed is for an air purifier and cleaner company and is not associated with the airline in any way.  This would appear to be just laziness on the part of the spammer for not checking that the sending website matches the airline that they are pretending to be and should immediately make anyone suspicious about the authenticity of the email.  Of course if you have not made any airline reservations, then the email would immediately cause suspicion It is possible, however, that the scammers would hope that the user might believe that they have received this email in error and click on the link anyway in order to investigate further.

Looking at the phishing domain from the link in the email, we can see that the legitimate airline has had their original website cloned by the scammer.  However, from what appears to be laziness on the part of the scammer again, the fake website is not displayed correctly.

On this fake website it asks for the “Card number” and “Password” for the user’s account with the airline.  I tried to investigate this further to see what happens if you enter some dummy information but the fake website does not work and does not open the Web form.  This makes the whole scam a waste of time for the scammer as they will not be able to steal any information using this broken Web form.  Therefore it is difficult to be certain of the scammer’s intent, but my guess would be that if the Web form worked, it would then ask the user for their credit card or bank details.

The “whois” information for the phishing domain in the email is also very interesting.  Whilst the domain has only been registered in the last two weeks, it has been registered against a user’s email address at a well known manufacturer of airplanes.  Therefore it is very possible that this user could have had their email account compromised and bank or credit card information stolen, and that the scammer has then registered the fake domain in their name.  Anyone viewing the “whois” of this domain might then believe it to be legitimate as it is registered against a well known legitimate company.

In the signature of the email, the FSA registration number that the scammer has used is for a different airline altogether and not of the airline that they are pretending to be.  Whilst this scam will fail due to the website not being displayed correctly, it could have been more sophisticated if the scammer had taken the time to make the fake website more realistic and ensure that all of the information in the email was correct.

Symantec’s advanced monitoring systems were able to proactively identify and block this scam.