Attackers are using fake airline booking confirmation messages to steal corporate credentials.
Image: iStock
Cyberattackers are carefully crafting individual phishing emails puporting to be from airlines and financial departments to deliver malware and are even mimicking internal corporate travel and expenses systems in order to steal personal details from specifically targeted victims.
While cybercriminals using the lure of fake travel itineraries is to dupe those in sectors reliant on shipping goods or employee travel isn’t new, researchers have discovered a particularly advanced phishing attack.
Discovered by cybersecurity researchers at Barracuda Networks, this airline phishing attack uses a variety of techniques to capture sensitive data from victims and deploy an advanced persistent threat.
The email from the attacker impersonates a travel agency or an employee in the target’s own HR or finance department, sending a message with a subject line claiming to be a forwarded message about a flight confirmation, stating the airline, the destination and the price of the flight.
All three of these things are carefully researched by the attackers, who select them specifically for the target in order to look legitimate in context of the company and the email recipient. Taking the time to tailor phishing emails in this way works; because these messages are opened 90 percent of the time, making this one of the highest success rates for phishing attacks, say Barracuda.
Once opened, the email presents the target with an attachment in the form of a PDF or Microsoft Word document purporting to be a flight confirmation or receipt but of course, it’s neither of these things.
When the target opens the attachment, malware runs immediately, dropping an advanced persistent threat into the network, enabling the attacker to stealthily monitor the infected organisation, likely with the aim conducting espionage and stealing data.
There’s also a variant of this attack, which instead of dropping malware to stealthily steal data, uses phishing links to directly take sensitive information from the victim. In these instances, the phishing website is designed to look like an airline website or even the expenses and travel system used by the target’s company.
These phishing links are ultimately designed to trick the victim into supplying sensitive corporate credentials, which the attackers will then use to infiltrate the company network, databases and emails in order to steal information.
Cybersecurity researchers warn that the combined use of impersonation, malware and phishing is particularly dangerous because these methods compliment one another, enabling the attacker to essentially gain control of the network. At this stage, the attackers can stealthily conduct espionage or even drop additional malware and ransomware.
Sometimes it can be very difficult to identify a phishing email, but the likes of sandboxing and advanced persistent threat prevention combined with employee training and awareness can increase the chances of preventing attacks from compromising the network.
