Double Trouble: Unmasking Twin Phishing Campaigns Targeting E-commerce and Travel Sites

Back to the list of Speakers and Sessions
Watch the stream

In today's technology-driven landscape, the transition to digital transactions has eclipsed conventional face-to-face interactions, presenting novel challenges in ensuring transaction security. Users, perhaps inadvertently, heighten security risks by opening email attachments from phishing attempts, intensifying the complexities of online transaction security. Moreover, there exists the potential of voluntarily disclosing sensitive information, further adding intricacy to the digital transaction security landscape.

Compounding this issue, cyber attacks leverage customer data pilfered from compromised merchants. Victims find themselves coerced into divulging credit card details through a sophisticated, multi-step process. This research brings to light a new phishing campaign, unraveling the techniques, tactics, procedures (TTPs), and indicators of compromise (IoCs) employed by threat actors. These encompass the exploitation of the platform's chat function and the incorporation of transaction data to bolster the credibility of phishing pages.

The cyber attacks, though strikingly similar, employ urgent language and intimate knowledge of users' bookings, instilling credibility in deceitful messages. However, distinctive cues like odd URLs and typos serve as saviors for potential victims. Upon analysis, these campaigns redirect users to counterfeit sites that mirror legitimate e-commerce platforms. The craftiness of cyber criminals shines through identical HTML elements and scripts, meticulously validating data and even circumventing multi-factor authentication.

Further investigation unveils the tactics employed by cyber thieves: exploiting InfoStealer malware to breach hotel chat systems and amass valuable customer data, escalating their targeted attacks. Open-source intelligence tools reveal a broader scope, a twin campaign where attackers impersonating various platforms, not limited to travel sites but also other e-commerce platforms, since 2021. Domain fronting is also consistently employed to conceal their tracks along with some other TTPs.

The research culminates in insights and recommendations to enhance the security of all parties involved. By implementing these suggestions, it is hoped that both platforms and merchant-customers can fortify their resilience, mitigating potential risks in the dynamic digital landscape.


Mangatas Tondang (@tas_kmanager) Security Researcher, Microsoft / Curated Intelligence

Tas has spent the last five years immersed in the worlds of threat hunting, detection engineering, and security research. Currently, he's making changes at Microsoft, specializing in cloud security research. Beyond his professional endeavors, Tas is a passionate contributor to the cybersecurity community, holding roles in the DFIR report and Curated Intelligence. He's also no stranger to the stage, having presented at various conferences around the globe, to name a few SANS Summits and DEF CON BTV. When he's not navigating the digital landscape, Tas enjoys the art of astrophotography and embarking on spontaneous adventures across the globe exploring landscapes and cuisines.