Spam and phishing mail

Flying phishers: cybercriminals targeting frequent flyer miles

We wrote in our predictions for 2011 about cyber attacks that steal everything. In fact cybercriminals are interested in stealing all kinds of data, including the miles you accumulate in frequent flyer programs. Customers of Brazilian airline companies are being targeted by a flood of phishing messages whose goal is to steal customer’s accounts and their miles in the frequent flyer programs maintained by local airlines. The miles stolen from customers are becoming a new kind of currency among Brazilian cybercriminals and phishers, who can use them to issue tickets for themselves, sell tickets to other criminals or use them in barter schemes.

The attacks involve the sending of phishing messages in mass mailings that promise more points in a frequent flyer program or offer a supposed prize. In some attacks the customer is asked to re-register on a fake website:

“Register now and earn more miles in the frequent flyer program”

Brazilian phishers are also registering a lot of malicious domains using names that seem to be related to airline companies, when in fact they are not. Some examples can be viewed safely here, here and here. In some attacks we saw trojans changing the Hosts file to redirect the victim to the phishing site, all of them request the customer’s registration number for the airline’s site and the corresponding password. This data is enough for a cybercriminal to steal the account and all the miles:

In fact, we have already seen several passengers complaining to the local media about their accounts on the websites of airlines being hacked and their miles being used to issue tickets on behalf of unknown persons. One victim claims to have lost around R$ 12,000, the equivalent of US $ 7,600 in accumulated miles. In general it’s not possible to transfer the miles to other person, but the bad guys issue the tickets using the name of money-mules or using a fake ID.

This is not the first time that cybercriminals have targeted frequent flyers. Similar attacks were reported last June in Germany when a new version of the Trojan banker SpyeEye stole air miles from customers of an airline company.

The most interesting aspect of the latest cases is that the stolen miles are being used as a form of currency by cybercriminals. In this message, in an IRC channel, a criminal is selling access to a Brazilian botnet with 3,300 machines that can send “unlimited spam”, and charging around 60 dollars OR 60,000 miles of a specific Brazilian airline company:

This one is asking for a partner to exchange stolen air miles for stolen credit cards:

If you have miles accumulated in an airline company, stay alert and don’t react to any suspicious messages you may receive by email. The anti-phishing module in our products blocks access to these malicious pages.

Flying phishers: cybercriminals targeting frequent flyer miles

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox