Details about an ongoing cybersquatting campaign targeting Turkish Airlines were recently unveiled, naming 13 malicious domains connected to the threat. As one of our primary goals is to expand published lists of indicators of compromise (IoCs), we dug deeper into the campaign to determine if the threat is confined to Turkish Airlines or if other industry players are at risk as well.

We used various WHOIS, IP, DNS, and threat intelligence sources and found that:

• A total of 355 domains containing the string “airlines” were registered on 28 September—28 October 2021. Thirteen of these shared the same registrant country as the 13 publicized IoCs. Two out of them shared the same creation date as the 13 identified IoCs. Thirteen of them shared the same geolocation origin. Finally, two of them were dubbed “dangerous.”
• A total of 1,361 domains containing the string “airlines” that were due to expire within the same period. Twenty-six of them shared the same IP address as the 13 Turkish Airlines IoCs. Four of them were also dubbed “dangerous.”

Feel free to download the complete list of additional IoCs and artifacts related to this threat research. Our main findings are also further detailed below.

What We Know So Far

The 13 malicious domains shared the same potentially malicious name (ns1[.]smartname[.]com and ns2[.]smartname[.]com) and WHOIS (whois[.]dnspod[.]cn) servers, according to the IBM X-Force Exchange report. Apart from those details, do they share other similarities?

A Closer Look

As mentioned above, we used various tools to take the investigation further. The following sections reveal our findings.

Are Other Airlines at Risk?

According to data obtained from Newly Registered & Just Expired Domains between 28 September and 28 October 2021, at least 355 domain names containing the string “airlines” were recently registered within the month.

A bulk WHOIS lookup for the 355 domains revealed that only 287 had retrievable WHOIS records. While none of the 287 domains shared the same name and WHOIS server details with the 13 that IBM X-Force Exchange identified, 13 of the additional domains were registered in China (the registrant country of the Turkish Airlines domains), namely:

• airlines-customer-service[.]com
• airlines-number[.]com
• airlineshuttlecorp[.]com
• airlineshome[.]com
• airlinesourcing[.]com
• allairlinesaid[.]com
• britanniaairlines[.]com
• greater-bay-airlines[.]hk
• instantairlines[.]com
• minairlines[.]com
• unitedairlinesspecialoffers[.]com
• venusairlines[.]com
• vietnamairlines247[.]net

Two of the 287 domains also shared the same creation date as the 13 identified by IBM. These domains are afrijetairlines[.]fr and somonairlines[.]com.

A bulk IP & DNS lookup showed that the 13 original domains shared the same geographic origin (U.S.) as 308 of the additional domains. Examples include:

• singaporeairlinesvacations[.]com
• unitedairlinesspecialoffers[.]com
• hannanairlines[.]com
• machoolairlines[.]com
• heritageairlines[.]com
• aliganceairlines[.]com
• dewltaairlines[.]com
• copaairliness[.]com
• allienceairlines[.]com
• rightwingairlines[.]com

While we didn’t find definitive proof of the newly identified domains’ connections to the original squatting campaign, a bulk malware check using Threat Intelligence Platform (TIP) API revealed that two (malaysianairlines[.]de and 2020airlines[.]top) of the 355 domains have been deemed “dangerous” by various malware databases.

We also looked at the domains that were due to expire and containing the string “airlines” for the same period and found 1,361 entries.

A bulk WHOIS lookup for these revealed that one domain (airlines-manager[.]icu) shared the same WHOIS server as the 13 domains in the list of Turkish Airlines IoCs.

A bulk IP/DNS lookup, meanwhile, revealed that 26 of the newly expired domains shared the same IP address (35[.]186[.]238[.]101) as the original 13 in the published list of IoCs. They could belong to the same individual or group currently targeting Turkish Airlines. These domains are:

• greatairlines[.]com
• airlinesticketsonline[.]com
• cancunairlines[.]com
• americantranairlines[.]com
• tahitianairlines[.]com
• honoluluairlines[.]com
• airlinestewardess[.]com
• cheapairlinesite[.]com
• ukraineinternationalairlines[.]com
• apiritairlines[.]com
• centralamericanairlines[.]com
• overyonderairlines[.]com
• americatransairlines[.]com
• airlinesky[.]com
• airlinesdepot[.]com
• indigoairlinesindia[.]com
• airlinesticket[.]net
• jamacianairlines[.]com
• chennaiairlines[.]com
• canairlines[.]com
• balkanairlines[.]com
• bulldogairlines[.]com
• swiftairlines[.]com
• goldencityairlines[.]com
• airlinesafetyguide[.]com
• airlinesweb[.]com

Apart from the 26 newly expired domains, including four others (agribankairlines[.]net, panamairlines[.]com, animalairlines[.]org, and airlinescs[.]com) in your blocklist is recommended since they have been dubbed “dangerous” by various malware databases, according to our bulk TIP API check.

As we’ve seen here, the IoCs IBM named could be part of a bigger attack infrastructure, given the list of 26 recently expired domains that shared the 13 initial domains’ IP addresses. These domains pointed to other airline industry players that may have been targeted by the same threat actors like American Airlines, Ukraine International Airlines (UIA), and Spirit Airlines.

Are you investigating a similar campaign? Maybe we can collaborate. Contact us to find out more about the methodology we used and tools we employed to get relevant data today.