A ticket to nowhere: Group-IB has recorded an increase in fraudulent resources for the sale of railroad and air tickets

On the eve of the May holidays, there is no rest from scammers either on the ground or in the air. Well, on the Internet by itself. After Vladimir Putin declared the days off from May 1 to 10 at the end of April CERT-GIB (Group-IB’s Cyber ​​Security Incident Response Center) has documented an upsurge in online fraud related to the sale of air and rail tickets. “Before the holidays, cybercriminals are increasing their activity, embedding themselves in the news agenda and actively using social engineering to attract potential victims,” says Yaroslav Kargalev, deputy head of CERT-GIB. Experts urge users to be careful when buying tickets online – useful recommendations at the end of the article.

Ghost train

On the eve of the May holidays, the scammers created a network of fake pages for the fake sale of electronic tickets for the Sapsan train, aimed at stealing money and payment data of users.

According to CERT-GIB (Group-IB Cyber ​​Security Incident Response Center), single fraudulent resources for selling tickets for Sapsan have been encountered before: in total, 21 such resources were discovered in 2020. From the beginning of 2021, in January and February – 2 and 3, respectively. Fraudsters intensified in April, before the May holidays. By the middle of the month, the number of unique phishing domains was already 13. Some of the resources are still functioning, Group-IB, together with Russian Railways, are taking measures to block them.

The scheme uses a classic scenario: when searching for available tickets for Sapsan in popular search engines, users attracted by advertising end up on a fraudulent site. All of them were created using IFrame – a legitimate HTML component that allows you to embed third-party site content on your web resource. Wanting to buy a ticket online, the victim enters the bank card details, as a result, losing both money and “plastic” data. The difference between the scheme is that fake resources were opened mainly on mobile devices – both on iOS and Android operating systems, however, there were also those that “worked” in browsers of personal computers.

The use of access from a mobile device in a fraudulent scheme can lull the attention of a potential ticket buyer, since he is less likely to see a domain change. At the same time, most anti-phishing protection systems are powerless against blocking the entire scheme, since the link in the advertisement and the address of the phishing domain have nothing to do with the brand used in the attack. Thus, even if the resource on which the final phishing was located is blocked, fraudsters simply start redirecting to another valid domain without even disabling ads.

You can fly with a ticket

Quite often, malicious resources copy the sites of popular air ticket aggregators or are completely independent pages for selecting flights. In April, Group-IB identified 50 phishing sites selling air tickets at low prices. For comparison, for the entire 2020, 56 such resources were recorded, in January 2021 – 9, in February – 5, in March – none. The peak of fraud was in the last week of April. Malicious resources were often in the first position in search results in Yandex / Google for the query “buy tickets”, “cheap tickets” …

“When a visitor to a fake website enters card details, including a CVV code, to pay for air tickets, the money goes to the accounts of the attacker, and no one gets tickets,” explained Yaroslav Kargalev. He added that the criminals also get credit card details, which they can use to make purchases on the Internet. The peculiarity of the April attacks is that the target audience for fraudsters is smartphone users; in most cases, phishing sites are opened only from mobile platforms.

How to avoid becoming a victim?

Group-IB recommends not to click on links sent in suspicious emails, social networks and instant messengers, especially if they exploit the themes of gifts, benefits, winnings, price reductions, etc.

Do not download attachments from messages that have not been requested by the user. It is necessary to carefully study the site address (domain name) to which the redirection occurred. In most cases, it differs from the original domain (for example, the described fraudulent scheme uses the domain name sapsan.pw, as well as more complex combinations).

Please update your browser to the latest version.

It is important to check the domain where the purchase is planned using the sites tcinet.ru or whois.com: the “age” of the site may be a sign of fraud. As a rule, fake sites live for several days. You shouldn’t make online prepaid purchases on unverified sites.

For purchases on the Internet, you should get a separate bank card or use its virtual counterpart.

Be careful lest scammers spoil your vacation!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *