The Covid-19 pandemic has already provided plenty of lessons in how malicious actors exploit trending topics, events and disasters to carry out fraud and cyber attacks, and given huge public interest in holidaying in the UK, coupled with the resumption of some limited international travel, it is no surprise to see cyber criminals have pivoted to travel-themed attacks, according to new data produced at Palo Alto Networks’ Unit 42 research unit.
In a newly published report, Unit 42’s Anna Chung and Swetha Balla shed some light on the prevalence of travel-themed phishing lures being used to steal data, account credentials and financial information, and how the team has been working with third parties to remove them.
“Cyber criminals are always on the hunt for ways to trap potential victims by using social engineering to exploit hot trends,” said Chung. “Now they’re seeking to exploit people’s strong desire to travel, which was suppressed for a long period of time due to Covid.
“To conduct social engineering, threat actors have always leveraged malicious domains and URLs impersonating known brands and websites familiar to end-users. The content served on these malicious domains or URLs is crafted to mislead end-users, since they look and feel very similar to brands that users know.
“Alternatively, threat actors also send phishing emails to end-users to trick them into either downloading malicious attachments or clicking on links that lead to malicious content – website pages or attachments. Threat actors use themes that invoke a sense of urgency, such as outstanding invoices, or appeal to the end-user emotionally, such as travel-themed emails sent as the world opens up.”
Chung and her colleagues analysed a trove of travel-themed phishing URLs registered between October 2019 and August 2021, and found that from early 2021, a gradual upward trend in new malicious URLs, ahead of a feeding frenzy towards the end of June, peaking with more than 6,000 new URLs created every day.
Many of these URLs, which included keywords such as “airline” and “vacation”, served as a means to trick people into downloading the well-known infostealer Dridex from tainted Dropbox links. Unit 42 subsequently worked with Dropbox to get these links removed and the associated account disabled.
But malicious actors have not stopped at targeting travellers. Unit 42 also saw threat actors using services such as Firebase, which is hosted by Google Cloud Storage, to host their pages and distribute malware spam targeting travel industry workers.
Firebase is easy to exploit because malicious actors can use it to take advantage of its host’s reputation to bypass standard email protections, and some of the organisations targeted by Firebase-hosted web apps this year include online rental marketplaces, hotel chains, resort management companies and airlines. Unit 42 subsequently worked with Google to get these particular phishing URLs kicked off the service.
Data stolen through travel-themed attacks are likely to have been used for a number of ends, according to Unit 42. Chung said cyber criminals are motivated to monetise the data they steal, whether that be stolen credentials, customer details or credit card information, by selling it to others on dark web marketplaces, or by leveraging it to conduct identity theft or further cyber attacks, steal and resell airline or hotel loyalty points, or make fraudulent travel bookings.
