Spam and phishing mail

Flying phishers: cybercriminals targeting frequent flyer miles

We wrote in our predictions for 2011 about cyber attacks that steal everything. In fact cybercriminals are interested in stealing all kinds of data, including the miles you accumulate in frequent flyer programs. Customers of Brazilian airline companies are being targeted by a flood of phishing messages whose goal is to steal customer’s accounts and their miles in the frequent flyer programs maintained by local airlines. The miles stolen from customers are becoming a new kind of currency among Brazilian cybercriminals and phishers, who can use them to issue tickets for themselves, sell tickets to other criminals or use them in barter schemes.

The attacks involve the sending of phishing messages in mass mailings that promise more points in a frequent flyer program or offer a supposed prize. In some attacks the customer is asked to re-register on a fake website:

“Register now and earn more miles in the frequent flyer program”

Brazilian phishers are also registering a lot of malicious domains using names that seem to be related to airline companies, when in fact they are not. Some examples can be viewed safely here, here and here. In some attacks we saw trojans changing the Hosts file to redirect the victim to the phishing site, all of them request the customer’s registration number for the airline’s site and the corresponding password. This data is enough for a cybercriminal to steal the account and all the miles:

In fact, we have already seen several passengers complaining to the local media about their accounts on the websites of airlines being hacked and their miles being used to issue tickets on behalf of unknown persons. One victim claims to have lost around R$ 12,000, the equivalent of US $ 7,600 in accumulated miles. In general it’s not possible to transfer the miles to other person, but the bad guys issue the tickets using the name of money-mules or using a fake ID.

This is not the first time that cybercriminals have targeted frequent flyers. Similar attacks were reported last June in Germany when a new version of the Trojan banker SpyeEye stole air miles from customers of an airline company.

The most interesting aspect of the latest cases is that the stolen miles are being used as a form of currency by cybercriminals. In this message, in an IRC channel, a criminal is selling access to a Brazilian botnet with 3,300 machines that can send “unlimited spam”, and charging around 60 dollars OR 60,000 miles of a specific Brazilian airline company:

This one is asking for a partner to exchange stolen air miles for stolen credit cards:

If you have miles accumulated in an airline company, stay alert and don’t react to any suspicious messages you may receive by email. The anti-phishing module in our products blocks access to these malicious pages.

Flying phishers: cybercriminals targeting frequent flyer miles

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox