Do you want to go to US for a vacation? For the obvious convenience, most travelers already buy airline tickets online. Beware, though, because as Advanced Threat Researcher Paul Ferguson has discovered the following American Airlines phish it seems a unique profit opportunity for malware writers is emerging:
Figure 1. American Airlines phishing page
The login page looks exactly like the original site luring users to enter their airline advantage number and password. After logging in, users will be automatically redirected to the following survey form:
Figure 2. Fake American Airlines survey form
As the users enter the required information, phishers can now access their account and may fly to whatever country they like freely and the bills will be charged to the innocent customers. Another interesting aspect here is that the phishers seem to have set up a spare phishing Web site (the source code contains another phishing URL):
Figure 3. American Airlines phishers’ plan B
American Airlines AAdvantage is the oldest frequent-flier and rewards program. It also remains the world’s largest to date (at least according to its Wiki entry). Members receive an array of benefits which, despite recent news of airline difficulties related to the increase in jet fuel costs, continue to attract and retain patrons. Said subscribers should be wary of email purporting to come from the American Airlines AAdvantage department as they may unknowingly be giving away their hard-earned miles to phishers for free.
That phishers are now eyeing this aspect of the broad landscape of online transactions suggests that cybercriminals will only continue to get more creative in thinking of ways to wrongfully profit online.
Other non-traditional (as the “traditional phishing” typically involves either online banking or ecommerce sites) phishing attacks seen of late are the following:
- Phishers Spoof Facebook (Again)
- “Want to KNow Who Deleted You on MSN Live?”
- Picture-Perfect Phishing
- Phishers Cast a Seamless Attack on MobileMe
The two malicious URLs mentioned in this post are now blocked by the Trend Micro Smart Protection Network.