Unwitting mobile internet users are becoming the victims of an ongoing internationalised domain name (IDN) homograph-based phishing campaign. The suspected phishing websites purport to be those of commercial airline carriers, including Delta, RyanAir and EasyJet, and are offering free tickets, but, instead, appear to subject the user to a bait-and-switch scam according to research from Farsight Security.
The suspected phishing websites present the user with the promise of free airline tickets if they answer four innocuous questions (the responses don’t seem to matter) Farsight report. Once the user answers the questions, they’re instructed to share the “offer” with 15 WhatsApp contacts before being redirected to another URL where presumably the user is prompted to enter credit card details.
As Farsight observed, the domain names for the suspected phishing sites are IDN homographs (lookalikes of well-known sites that switch out certain Basic Latin characters for homoglyph characters from similar scripts). They presented as being sourced from Delta Airlines, EasyJet (see below) and RyanAir.
Farsight note that those familiar with current and recent phishing campaigns will recognise that this campaign appears to be a fork of the recent “Free Adidas” phishing campaign. This particular campaign underscored how easily a brand on the Internet can be used fraudulently and one campaign can be repurposed to attack a different and unrelated sector.
In an effort to make the pages seem more legitimate and familiar, they all include a Facebook-like section where it is made to appear as though a number of users have liked or loved the “post” along with a handful of positive comments.