On 13 June 2025, Israel launched a sweeping pre-emptive operation targeting Iran’s military leadership, conventional military sites, air defenses, and nuclear infrastructure. The campaign was called Operation Rising Lion by the Israeli government and military. Last month, our friends at Fortinet published a blog detailing the new realities of cyber warfare, which were highlighted by this recent conflict.
|
Affected Platforms: N/A |
What followed was a 12-day exchange of strikes and counterstrikes between the two countries, resulting in significant damage and widespread fear and uncertainty among civilians caught in the middle. Following US involvement through Operation Midnight Hammer, a ceasefire was announced and has so far been maintained.[1]
In the aftermath, researchers have identified what appears to be an attempt to exploit this crisis. Threat actors, using fear of renewed violence, launched a phishing campaign to steal personal and financial information from individuals seeking to flee the hostilities.
Initial Finding - FortiGuard Labs tooling detected the domain “lineageembraer[.]online” being registered on 22 June 2025. It looks to have been brought online very shortly thereafter.
Figure 1. WhoIs record for “lineageembraer[.]online”.
The domain stood out due to its reference to Embraer, a well-known Brazilian aerospace manufacturer. The “Lineage” designation refers to the Embraer Lineage 1000 and 1000E, which are business jets from the company’s E190 commercial airliner platform. While marketed as VIP transport, the aircraft are relatively rare, expensive to operate, and often associated with airlines, charter companies, or high-net-worth individuals. This made the domain’s use in the context of an emergency evacuation offer especially suspicious.
Landing Page - Upon inspection, the site displays an image of a business jet’s tail section and engine nacelle, accompanied by a banner reading “SPECIAL MISSIONS.”
Figure 2. Landing page for “lineageembraer[.]online”.
The landing page includes a prominent “Book Now” button, offering users a seat for USD 2,166. A total of 18 seats are listed as available, roughly matching the passenger capacity of an Embraer Lineage 1000 or 1000E.
In the page footer, the following travel details are displayed:
Departure: 26 June 2025
Tel Aviv – Ben Gurion to New York – Teterboro
Seats are minimal
An additional button labeled “Instruction[sic]” is also presented, which will be touched on below.
Digging Deeper - The certificate was generated using Google Trust Services and appears to have only been made valid from the go-live date and time through to September 20, 2025.
Figure 3. Start of the certificate chain for “lineageembraer[.]online”.
Notably, the page footer references a June 26 departure date, which was two days after the ceasefire took effect on 24 June 24, 2025. This suggests the site’s operators either overlooked the ceasefire or assumed that some individuals might still be seeking to leave the region for safety or personal reasons. While that alone doesn't confirm malicious intent, it adds to the overall suspicion.
Clicking the “Book Now” button initiates a mailto: operation addressed to lineageembraer[@]gmail[.]com. There is no open-source intelligence linking this email address to any legitimate entity, and it appears to have been created solely to match the fake domain.
Clicking the “Instruction[sic]” button triggers the download of a PDF containing travel instructions. Interestingly, this file is hosted on a Shopify CDN (content delivery network), an unusual choice for legitimate aviation or charter services. The file is located at:
hXXps://cdn.shopify.com/s/files/1/0945/8889/5563/files/Special_Mission_Flight_Embraer_Lineage_1000E.pdf?v=1750688015
The use of commercial infrastructure, such as Shopify's CDN, for a high-priced international charter service further undermines the credibility of the site.
Figure 4. Instructions
As shown in Figure 4, the site presents what appears to be a “premium” evacuation service. While the postal code and city are listed as Bristol, UK, which is real, the absence of a house or building number raises red flags. The postal code corresponds to a small residential neighborhood with only about a dozen homes, making it highly unlikely to be the legitimate base of operations for an international charter service.
The flight is advertised as departing from Ben Gurion Airport in Tel Aviv and arriving at Teterboro Airport, which the site incorrectly lists as being in New York. In reality, Teterboro is approximately 12 miles (19.3 kilometers) from Manhattan in the US state of New Jersey.
To complete the booking, users are prompted to submit personal details, including name, address, and passport number, with payment instructions to follow, contingent on the operators determining that the requester is “serious.” This vetting approach likely serves to create a false sense of legitimacy while selectively harvesting high-value identity data.
Further Analysis - The logistical and financial inconsistencies in the offer further support the conclusion that this is not a legitimate service.
The aircraft model advertised for the flight, a Lineage 1000E, is scarce. Fewer than a dozen were ever produced before Embraer ceased manufacturing the model in 2019. While some are configured for VIP transport, securing one on short notice during a regional conflict would be highly improbable.
Operational limitations also raise doubts. The Lineage 1000E has a maximum range of approximately 4,600 nautical miles, while the direct distance from Tel Aviv to Teterboro is around 5,700 nautical miles. This would require at least one stop for refueling, complicating the feasibility of a nonstop evacuation flight as claimed.
Finally, the advertised price of USD 2,166 per seat is unrealistically low for what is described as a high-end charter. By comparison, a commercial first-class ticket from Tel Aviv to New York for the following Thursday, 3 July 2025, is priced between £5,085 (approximately $6,976.70 USD) and £6,014 (approximately USD 8,251.30). The stark difference in pricing raises serious doubts about the legitimacy of the offering and strongly suggests fraudulent intent.
Figure 5. Google search showing comparable flight costs.
While that price gap is hard to ignore, it becomes even more unrealistic when you factor in the cost of an actual charter. Based on our research, flying a Lineage 1000E on a long-haul route like this would typically run well over $10,000 USD per seat. That includes fuel, crew, landing fees, and the premium involved in sourcing a rare aircraft during a crisis.
Offering seats at $2,166 would only be feasible with substantial backing from a government, NGO, or corporate sponsor, none of which are present. With no visible affiliations or credible context, the service appears to be a well-crafted scam. All indicators suggest a fraudulent operation aimed at stealing personal data or extracting money from individuals under pressure.
Conclusion - Unfortunately, history shows that even in times of conflict, there are always those willing to exploit fear and desperation. In this case, the indicators all strongly suggest this is an attempt to steal identity data, financial details, and possibly funds from individuals seeking to escape a volatile situation. Always remain vigilant with any on-line purchases. There are many scams out there.
IOCs
Network-based IOCs
hXXps://lineageembraer[.]online
hXXps://cdn.shopify.com/s/files/1/0945/8889/5563/files/Special_Mission_Flight_Embraer_Lineage_1000E.pdf?v=1750688015
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/a-special-mission-to-nowhere/
Comments