Summer is one of the traditional seasons of scamming, and this summer is shaping up to be a hot one on that front, with active campaigns swirling around supposed “security incidents,” vacation bookings and, of course, the World Cup.
Scammers, for instance, recently targeted Booking.com customers via WhatsApp messages and texts asking them to change their passwords in the wake of a supposed security breach. These were, of course, all phishing lures designed to steal their sensitive financial information.
Booking.com told the Sun newspaper in the UK that the attack correspondence was fully outfitted with booking information. The attackers, it said, likely compromised the systems of hotels to find out details like customers’ names, addresses, phone numbers, dates and prices of bookings and reference numbers.
The malefactors then followed up with a second message demanding full payment for holidays and asking for bank information to process it.
Sinan Eren, CEO at Fyde Security, told us that there are fresh trends in phishing trips this season, including a move away from email to new communication mediums.
“An interesting development in this new Booking.com campaign is that attackers shifted to text and instant messaging due to lack of robust security and spam filters on those systems,” Eren told Threatpost. “Mobile carriers’ SMS gateways are legacy systems that do not have any modern detection and remediation capabilities. It is rather easy and cheap to open a Twilio or Nexmo account with a stolen credit card and send out text messages to millions of smartphones in a short amount of time. These messaging API providers only react retroactively and shut down accounts once the fraudulent nature of the campaign is reported at volume.”
Further, he noted that instant messaging protocols such as WhatsApp are peer-to-peer by design, so they can only offer very rudimentary controls for detecting scams.
Another phishing lure making the rounds is an Alaska Airlines scam that uses a post on Facebook. It purports to be from Alaska Airlines, offering two free tickets in exchange for completing a short three-question survey; once that’s done, it asks the person to share the page to their Facebook to finalize the deal.
“You have been selected to take part in our short survey to get 2 Free Alaska Airlines Tickets! We only have 121 Tickets remaining so hurry up” the scam proclaims. It obviously works, considering that it’s been making the rounds in some form since at least 2016.
“If you are sent to a website that is not alaskaair.com, promoted from alaskaair.com and/or does not have any affiliation or links to Alaska’s official websites, then it could be a fake promotion,” the airline cautioned.
The Facebook angle is also indicative of more widespread phishing trends: the bad guys are looking to leverage the network effect and chain of trust to gain a better ROI on campaigns by asking users to share the post.
“We have been seeing an increasing amount of social engineering schemes to further propagate the scam,” Eren said. “For example, in order to be eligible for the prize, you are required to share the message with 25 of your contacts, etc. It’s rather obvious that attackers using the network effect instead of propagating the scam from a single point, which is easier to take down, plus a lot less trusted by the recipient.”
A kind of positive trolling is another new tactic, he added, where fraudsters add fake social media followers and comments to their sites and posts to increase conversion, as seen below:
The 2018 FIFA World Cup is about to kick off in Russia, with the soccer tournament once again taking its place as a perennial favorite for scammery. The hat-trick of nefariousness involves dubious messages promoting free tickets to the tournament (and who wouldn’t want an all-expenses paid trip to a match?); emails containing news and highlight reels about World Cup teams and players like Argentinian national star and Barcelona hero Lionel Messi, along with malicious attachments and links; and scams claiming to offer free live streams of the action in return for filling out a survey or installing software.
“The World Cup is THE global sporting event, which brings a fantastic opportunity for cybercriminals intent on securing a quick payday,” Steve Durbin, managing director of the Information Security Forum, said via email. “Email infection, fake betting websites and traditional phishing attacks are all expected to have their day in the sun this summer. Have fun watching the games, and rooting for your country, but let’s make sure that we all end up on the winning side and don’t end up becoming just another statistic on the losing side.”
Prizes around World Cup tickets and travel will also drive an increase in digital ad-driven phishing campaigns, Eren said, adding, “Most ad networks still do not sufficiently police programmatic buys of digital ads.”
According to Kaspersky Lab, statistics show spikes in the number of phishing pages during match ticket sales.
“Every time tickets went on sale, fraudsters mailed out spam and activated clones of official FIFA pages and sites offering fake giveaways allegedly from partner companies. But as the event draws nearer, cyber-scams are reaching fever pitch,” the firm said in a recent post.
Protect Yourself
Don Lewis of EdgeWave provided the following consumer tips to Threatpost:
- Never respond to emails from booking sites you’ve not dealt with or heard of before. Don’t click on the emails, but open a new browser search in new window and verify the legitimacy of the site, as well as check their online reviews in other places. If the offer seems too good to be true, it probably is… verify the offer via other means if needed.
- If you believe you’re receiving an email from a booking site that you have worked with before but the email is asking you to complete an action that appears odd, based on timing or what they are asking, take time to validate the request via other methods. For example, if you get an email asking to update your profile or provide credit-card information, do not give it. If they already have a profile built with your personal information and credit-card information, it would be highly unlikely they would email you asking for this information again. Take the time to verify with them separately before completing any online forms simply because they asked for it. This also applies to other scams where you’re notified that your reservation has been changed or cancelled. Instead of clicking on an email with this information, go to the website directly and login to see if your reservations are intact. If you’re unsure, email their support team or call them directly to verify.
- If you’re going to make a new booking and you have already vetted the online site, before submitting any information, make sure the web session is secure (i.e. that it’s a secured form in HTTPS): ensure that a green padlock is visible in the top left-hand corner of the navigation bar when you’re prompted to enter financial details.
- Don’t set your account passwords for travel sites to be the same as your email or banking sites. Always keep these passwords separate and change them every few months, or sooner if you think you could have been compromised.
- Finally, report suspicious emails and phishing sites to US-CERT at this link. The more people are educated and aware of the latest scams, the more they can take action quicker to be protected, thus minimizing the damage that the hacker can do.