'Aggressive' phishing campaign against travellers claims 90% success

News by Rene Millman

Criminals lure corporate travellers into installing malware and surrendering credentials with new spear-phishing campaign dressed up as airline tickets.

Airline travellers have been targeted in a new phishing campaign that aims to infect victims' systems with malware and trick users into handing over personal or business details.

According to researchers at Barracuda, the criminals are having a success rate of 90 percent with the attacks.

The campaign uses a combination of impersonation, malware and phishing to mount attacks against victims. While it isn't clear who is behind the attacks, the targets include those in industries that deal with frequent shipping of goods or employee travel, such as logistics, shipping and manufacturing.

An email from a hacker will impersonate a travel agency or even an employee in HR or finance that is sending an airline ticket or e-ticket. The email will be constructed to appear unremarkable to the untrained recipient. 

The details have been carefully researched by the attackers who have prepared the email specifically for the target. The airline, destination and price will be carefully selected so that these details look legitimate in the context of the company and the recipient.

Once the victim has opened the email, there is an email attachment, usually a PDF or Word document. In this attack, the malware will be executed upon the opening of the document.  

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” said Asaf Cidon, vice president of content security services, in a blog post. “This is one of the highest success rates for phishing attacks.”

There are also links to a phishing website designed to capture sensitive data from the victim. This phishing website will be designed to imitate an airline website, or it will impersonate the expense or travel system used by the company, according to Cidon.

"This step in the process is designed to trick the victim of the attack into entering corporate credentials into the site," Cidon said. "The attacker will then capture the credentials, and use them to infiltrate the corporate network and internal company systems, such as databases, email servers and file servers."

Cidon advised companies to use sandboxing to prevent malware from ever reaching the corporate mail server, and using anti-phishing protection that scans links and looks for malware.

Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that by researching their victims online (doxing), attackers are able to craft emails that include detailed information either about the targeted individual or the company. “The more accurate the information, the less likely it will feel for the victim that it's illegitimate,” he said.

Lee Munson, security researcher at Comparitech, told SC that the the best form of defence is to focus on the human trickery element that kicks the whole thing off. “Security awareness training is key here – first by highlighting the attack method to staff and, secondly, by offering practical tips, such as being extremely aware of the potential consequences when opening email attachments,” he said.

Dr Scott Zoldi, chief analytics officer at FICO, told SC that the future lies in using AI-driven solutions which can detect and react to new threats that are missed. “This is important as malware/threats morph continuously and nefarious actors are always looking to circumvent the detection capabilities of systems based on fixed rules or heuristics,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews