As part of our continuous monitoring of the Internationalized Domain Name (IDN) space, Farsight recently found evidence of what appears to be an ongoing IDN homograph-based phishing campaign targeting mobile users. The suspected phishing websites purport to be those of commercial airline carriers offering free tickets, but, instead, appear to subject the user to a bait-and-switch scam.
Note: As Farsight has done in the past, all attempts were made to contact each affected organization in advance of this publication.
The suspected phishing websites present the user with the promise of free airline tickets if they answer four innocuous questions (the responses don't seem to matter). Once the user answers the questions, he is instructed to share the "offer" with 15 WhatsApp contacts before being redirected to another URL where presumably the user is prompted to enter credit card details².
As observed, the domain names for the suspected phishing sites are IDN homographs (lookalikes of well known sites that switch out certain Basic Latin characters for homoglyph characters from similar scripts). They presented as being sourced from the following three airline carriers (the hyperlinks below are to the official websites for each):
Those familiar with current and recent phishing campaigns will recognize that this campaign appears to be a fork of the recent "Free Adidas" phishing campaign. This particular campaign just underscores how easily a brand on the Internet can be used fraudulently and one campaign can be repurposed to attack a different and unrelated sector⁴.
The websites are optimized for mobile and render a bit clumsily on desktop as shown below:
Figure 1: Screenshot of a suspected Delta phishing website
Figure 2: Screenshot of a suspected EasyJet phishing website
Figure 3: Screenshot of a suspected RyanAir phishing website
In an effort to make the pages seem more legitimate and familiar, they all include a Facebook-like section where it is made to appear as though a number of users have liked or loved the "post" along with a handful of positive comments as shown below¹:
Figure 4: Screenshot of the "Facebook-like" social content for the EasyJet website
Figure 5: Screenshot of the "Facebook-like" social content for the RyanAir website
Finally note that RyanAir site presented a DV SSL certificate³.
Appendix A: Suspected IDN Phishing Sites
The following section lists each of the Fully Qualified Internationalized Domain Names (FQIDNs) observed by Farsight that served a suspected phishing site. Please note this list is not guaranteed to be exhaustive.
Punycode Encoded FQDNs Unicode Encoded FQDNs ------------------------------------------------- www.xn--deta-1kb.com. -> www.deǀta.com. (Latin `l` is replaced with a "Latin Letter Dental Click" (U+01c0)) www.xn--easyje-n17b.com. -> www.easyjeṭ.com. (Latin `t` is replaced with a Latin Small Letter T with Dot Below" (U+1E6d)) www.xn--easyjt-m4a.com. -> www.easyjėt.com. (Latin `e` is replaced with a Latin Small Letter E with Dot Above" (U+0117)) www.xn--ryanai-1x7b.com. -> www.ryanaiṛ.com. (Latin `r` is replaced with a Latin Small Letter R with Dot Below" (U+1e5b))
¹ Farsight discovered the suspected Delta phishing site first and informed them immediately. Perhaps due to this, the site was taken down shortly thereafter and we were unable to get a screen capture of the social component.
² Apart from the initial observation, light reconnaissance, and reporting, Farsight did not perform extensive study of these suspected phishing sites.
³ The certificate for https://www.xn–easyje-n17b.com was self-signed and had expired in May 2018.
⁴ Farsight Security recently wrote a report on the prevalence and distribution of IDN homographs, available here.
Mike Schiffman runs in O(n!) for Farsight Security, Inc.
← Blog Home