The United States, Federal Bureau of Investigation (FBI) has issued a warning to air travelers to be suspicious of bogus US airport websites and WiFi networks when booking flights online. FBI analysts are aware of the recent creation of a number of websites trick users into thinking the sites are real. These spoofed domains, which grow increasingly sophisticated as cyber-criminals hone their skills for mimicry, posed a real threat for travelers, airports, and the aviation industry as a whole.
Crafty hackers create malicious airport or associated travel domains that appears to feature a real organization’s logo, font, color scheme, and writing style. Cyber-criminals are frequently able to fool users into thinking that they are on a site that is authentic and safe to use. The malicious lookalike websites are created with domain names that are virtually the same as the site they are impersonating, often with just one character altered. This subtle difference (or typo-squatting) can easily go undetected, especially when traveling is in a hurry to book a flight. Criminals create these fake domains to spread malware capable of compromising a user’s personal or business data. The theft of this data can ultimately lead to identity theft and financial loss.
The threat does not stop once tickets have been booked, with criminals banking on airport users reaching for an IoT device at the airport to pass the time before they fly. The FBI advises users to disable or remove all unnecessary software protocols and portals and to use multi-factor authentication where possible. Describing just how widespread this cybercrime is, the FBI said, “Over 96 percent of companies suffer from domain spoofing attacks in one form or another.”
The proliferation of alternative, "generic" top-level domains (TLDs) such as .app and .online as well as the ability to register domain names using non-Latin characters are enabling phishing attacks. Since ICANN, the organization responsible for the administration of the domain name system, began delegations of new generic top-level domains (gTLDs) in October 2013, the number of top-level domains has risen above 1,200, providing malicious actors the means to embark on phishing campaigns.
The traditional means of domain-based phishing such as typo-squatting, registering a name like "goggle" for its similarity to "google," for example are still popular tactics, as is exploiting kerning faults, such as using the letter "m" to give the appearance of the visually similar "rn." Of these traditional means, known as "lookalike attacks," 79 percent resolve to an IP address, 34 percent have a mail exchange (MX) record used for sending phishing emails and 17 percent have a security certificate, showing a lock icon when users open that site in a browser.
Cybersecurity training for non-technical users including such shorthand guidance as "look for the lock icon to ensure the website is secure, etc.," are likely to become a problem, as phishing attackers are able to self-sign certificates using services like Let's Encrypt, which is a free automated and open certificate authority operated by the nonprofit International Security Group.
Phishers and other cybercriminals closely watch the gTLD market for potentially exploitable, cheap registrations because the most popular TLDs (".com" and ".net") are unavailable, TLD attacks use a more broadly distributed set of TLDs than other types of fraudulent domains.
The 10 most used gTLDs in these attacks are:
- .app (6%)
- .ooo (3%)
- .xyz (3%)
- .online (2%)
- .site (2%)
- .club (2%)
- .top (2%)
- .info (2%)
- .icu (2%)
- .website (1%)
Internationalized domain names (IDNs) are similarly problematic. IDNs allow for domains with non-Latin characters to be registered, though visual similarities between characters in different scripts, called homoglyphs, can be used to create domain names with visually indiscernible differences, such as substituting the Cyrillic characters T, e, c, and p for the Latin T, e, c, and p. By substituting these characters, these can be used to register similar-looking domain names.
While Google Chrome disallows domains from using a mixture of Cyrllic and Latin characters, instead of displaying the Punycode equivalent, starting with "xn--," this is not a guarantee when emails are sent from these domains, with many mail clients displaying the mixed character set. Domains used in these attacks are typically seen as part of highly-targeted attacks, the report stated.
The FBI’s civilian information sharing support group, InfraGard, additionally shares vital information sure as this warning to its membership. InfraGard is a partnership between the FBI and members of the 16 private sectors. The InfraGard program provides a vehicle for seamless public-private collaboration with the government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure. With thousands of vetted members nationally, InfraGard's membership includes business executives, entrepreneurs, military and government officials, computer professionals, academia, and state and local law enforcement; each dedicated to contributing industry-specific insight and advancing national security. If you are interested in joining, visit the IngraGard National site at https://www.infragard.org/
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitorings in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
 The Cyrillic script is a writing system used for various languages across Eurasia and is used as the national script in various Slavic, Turkic, Mongolic, and Iranic-speaking countries in Eastern Europe, the Caucasus, Central Asia and Northern Asia.
 Punycode is a representation of Unicode with the limited ASCII character subset used for Internet hostnames. Using Punycode, hostnames containing Unicode characters are transcoded to a subset of ASCII consisting of letters, digits, and hyphens, which is called the Letter-Digit-Hyphen (LDH) subset.