Spam and phishing mail

Flying phishers: cybercriminals targeting frequent flyer miles

We wrote in our predictions for 2011 about cyber attacks that steal everything. In fact cybercriminals are interested in stealing all kinds of data, including the miles you accumulate in frequent flyer programs. Customers of Brazilian airline companies are being targeted by a flood of phishing messages whose goal is to steal customer’s accounts and their miles in the frequent flyer programs maintained by local airlines. The miles stolen from customers are becoming a new kind of currency among Brazilian cybercriminals and phishers, who can use them to issue tickets for themselves, sell tickets to other criminals or use them in barter schemes.

The attacks involve the sending of phishing messages in mass mailings that promise more points in a frequent flyer program or offer a supposed prize. In some attacks the customer is asked to re-register on a fake website:

“Register now and earn more miles in the frequent flyer program”

Brazilian phishers are also registering a lot of malicious domains using names that seem to be related to airline companies, when in fact they are not. Some examples can be viewed safely here, here and here. In some attacks we saw trojans changing the Hosts file to redirect the victim to the phishing site, all of them request the customer’s registration number for the airline’s site and the corresponding password. This data is enough for a cybercriminal to steal the account and all the miles:

In fact, we have already seen several passengers complaining to the local media about their accounts on the websites of airlines being hacked and their miles being used to issue tickets on behalf of unknown persons. One victim claims to have lost around R$ 12,000, the equivalent of US $ 7,600 in accumulated miles. In general it’s not possible to transfer the miles to other person, but the bad guys issue the tickets using the name of money-mules or using a fake ID.

This is not the first time that cybercriminals have targeted frequent flyers. Similar attacks were reported last June in Germany when a new version of the Trojan banker SpyeEye stole air miles from customers of an airline company.

The most interesting aspect of the latest cases is that the stolen miles are being used as a form of currency by cybercriminals. In this message, in an IRC channel, a criminal is selling access to a Brazilian botnet with 3,300 machines that can send “unlimited spam”, and charging around 60 dollars OR 60,000 miles of a specific Brazilian airline company:

This one is asking for a partner to exchange stolen air miles for stolen credit cards:

If you have miles accumulated in an airline company, stay alert and don’t react to any suspicious messages you may receive by email. The anti-phishing module in our products blocks access to these malicious pages.

Flying phishers: cybercriminals targeting frequent flyer miles

Your email address will not be published. Required fields are marked *



APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

Subscribe to our weekly e-mails

The hottest research right in your inbox