When running the Email Threat Scanner on many thousands client mailboxes the security team of Barracuda Networks detected very inventive aviation phishing attacks crafted to trick targets into giving away their business or personal information. It’s a new variation of old phishing emails. Such scam was especially often noticed in such industries as logistics, manufacturing, employee travel and shipping.
Those attacks combine several different expedients in order to steal sensitive data from people. The first tactic is impersonation. Scammers create legitimate looking emails supposedly sent by travel agencies, HR employees or finances which are sending airplane passes or e-tickets. These emails have messages in the subject line about flight confirmation which mentions destination, airline and price of a particular flight. Those details are carefully selected so that they would seem believable to a specific target. That requires an unusually level of preparation for hackers. Those frauds are so successful that targets open fake emails in more than 90% of cases.
When the victims open these emails, they are fooled into opening attachments with flight confirmation numbers or receipts, that are usually presented in PDF or DOCX format. Because of the specific details in the email these attachments inspire trust in people. The opening of this document causes the penetration of virus (Advanced Persistent Threat or APT) into the network. Then the scammer can either use yet another attack, for example ransomware (it limits or prevents targets from accessing their system), or stay stealthy and access the victim’s data through the network.
Besides, targets are encouraged to follow links to spoofed websites, which design imitates real airline, expense or travel websites used by their companies. The victims are duped into entering their corporate usernames and passwords which are promptly captured. As a result the phishers gain access to the company’s network and internal systems, which include databases, email or file servers and internal corporate communications.
Asaf Cidon, the vice president of content security services at Barracuda Networks advices to apply a plan of three-layered security for those who want to avoid falling victims to such attacks. The first layer must be sandboxing (a security mechanism for safe execution of untested or untrusted programs) and advanced persistent threat prevention. It allows to block the virus even before it arrives to the company’s mail server. The second recommended layer is anti-phishing software that searches for links to infected websites and blocks those links even if they are contained in emails and documents. The third layer should be regular training and testing of the companies’ workers, that will improve their awareness.
The U.S. Computer Emergency Readiness Team published a message about those aviation-themed phishing attacks “US-CERT has received reports of email-based phishing campaigns targeting airline consumers. Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information,” says the alert.
The US-CERT mentioned the security advisory by by Delta Air Lines, which told its consumers about those frauds. According to this warning “Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel”.