Travel-Related Phishing Lures Spiked This Summer, New Unit 42 Report Shows

by | September 20, 2021 | Cybersecurity News

As more and more people are going on well-deserved vacations after more than a year of restrictions and lockdowns, cybercriminals saw the phishing opportunity and grabbed it, according to fresh data from Palo Alto’s Unit 42.

Travel-themed phishing lures were heavily used this summer to steal data, credentials, and financial details.

The COVID-19 pandemic has already shown us how the bad guys take advantage of people’s fear and uncertainty, events, and disasters to launch cyberattacks. So, it comes as no surprise that scammers would jump on the opportunity to phish some more when people are holidaying again, according to new data gathered by Unit 42.

Increase in Travel-themed Phishing Lures

In a Wednesday report, Anna Chung and Swetha Balla from Unit 42 revealed a spike in travel-themed phishing lures being dangled in front of unsuspecting victims to steal sensitive data, such as account credentials and financial information.

“Cybercriminals are always on the hunt for ways to trap potential victims by using social engineering to exploit hot trends,” said Chung. “Now they’re seeking to exploit people’s strong desire to travel, which was suppressed for a long period of time due to Covid.”

“To conduct social engineering, threat actors have always leveraged malicious domains and URLs impersonating known brands and websites familiar to end-users. The content served on these malicious domains or URLs is crafted to mislead end-users, since they look and feel very similar to brands that users know”.

“Alternatively, threat actors also send phishing emails to end-users to trick them into either downloading malicious attachments or clicking on links that lead to malicious content – website pages or attachments. Threat actors use themes that invoke a sense of urgency, such as outstanding invoices, or appeal to the end-user emotionally, such as travel-themed emails sent as the world opens up,” Chung added.

Increase in the Number of Travel-themed Phishing URLs

Chung and her team examined a handful of travel-themed phishing URLs created between October 2019 and August 2021 and discovered a gradual upward trend in new poisoned URLs ahead of a frenzy throughout the summer, peaking with over 6,000 new URLs created every day.

Phishing lures using malicious URLs saw a spike in July.
The number of new travel-themed phishing URLs registered between October 2019 and August 2021. Source: Unit 42

Many of these links included keywords such as “airline” or “vacation” in an attempt to trick people into downloading the Dridex info-stealing trojan from compromised Dropbox links.

The threat actor behind Dridex generally uses billing- or invoice-themed emails, a tactic used by most mass-distribution malware. The compromised or malicious URLs host the initial installer for Dridex to establish backdoor access. The backdoor access established by Dridex is later used to distribute followup malware, including ransomware, if the initial infection is not discovered,” Unit 42 noted.

In January 2021, a malware spam campaign comprised emails that used Dropbox links to call animalairlines[.]org/wp-content/plugins/wordpress-seo/inc/options/tk2xzwhphujenf.php and download the malware DLL to install Dridex.

Example email associated with the campaign. Source: Unit 42

Unit 42 worked with Dropbox to remove the malicious links and disable the associated account.

But hackers didn’t stop targeting travelers. Unit 42’s report also notes that threat actors use services such as Firebase, which is hosted by Google Cloud Storage, to host their pages and spread malware targeting travel industry workers.

How Hackers Use the Data Gathered Through Phishing Attacks

Attackers can use the data stolen by travel-themed phishing campaigns for numerous purposes, according to Unit 42. For example, Chung explained that cybercriminals could monetize the data they steal by selling it on the dark web and using it in further cyberattacks, such as identity theft or making fraudulent travel bookings or purchases.

Travel-themed products and services listed in underground marketplaces, October 2019-March 2021. Source: Unit 42

Unit 42 also recommends the following to keep your organization safe from phishing:

  • Implement security awareness training to improve employees’ ability to identify fraudulent emails.
  • Regularly back up your organization’s data as a defense against ransomware attacks initiated via phishing emails.
  • Enforce multi-factor authentication on all business-related logins as an added layer of security.

Security Awareness Training With ATTACK Simulator

Phishing attacks can be highly damaging to your business. Unfortunately, your employees make for the most attractive and weakest targets, so you should seriously consider implementing security awareness training in your company.

Phishing emails are one of the most common routes hackers take to get to your employees. To objectively assess your company’s exposure and vulnerability to phishing attacks, we strongly advise you to use our free security awareness training trial.

Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.

Choose ATTACK Simulator’s Security Awareness Training program to provide your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers.


ComputerWeekly Travel-themed phishing lures spiked this summer

Unit 42 Phishing Eager Travelers


Feature Image: Photo by David Vives on Unsplash

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.