Home / Industry

Detecting Possible Fraud Vehicles Specific to Latin America and the Caribbean

Although fraud is a global issue, some threats may be unique to certain regions. Accertify listed some subtrends specific to Latin America and the Caribbean (LAC), including those involving the airline and digital wallet industries.

WhoisXML API researchers looked into these LAC-specific fraud trends and found:

  • 4,500+ cybersquatting domains targeting LAC-based airlines
  • 5,000+ cybersquatting domains targeting popular LAC-based digital wallet providers
  • Less than 1% of the cybersquatting domains in both industries that could be publicly attributed to the imitated companies
  • Several cybersquatting domains that were found malicious, with some hosting phishing content
  • A public registrant email address used to register one of the malicious domains that led to a network comprising 60 domains, several of which were also found malicious and imitated well-known companies

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Identifying Possible Fraud Vehicles

When Interpol described how airline ticket fraud works, the organization talked about cybercriminals using professional-looking websites as fronts for selling plane tickets. These tickets were bought using stolen or hacked credit cards and then offered for sale via professional-looking websites at reduced prices. While victims might think they found a great deal, they might eventually lose their tickets and money instead.

Using legitimate-looking websites and domain names to lure victims isn’t unique to airline ticket fraud. Other types of fraud can be carried out using look-alike web properties. Identifying cybersquatting domains targeting airlines and digital wallet providers in LAC can help uncover possible vehicles for fraud.

Potential Vehicles for Airline Fraud

Using Domains & Subdomains Discovery, we found 4,576 domains that bore the names of some of the top LAC-based airlines, including Avianca, Volaris, Winair, Aeromexico, Western Air, and Copa Airlines.

The complete list of airlines is shown in the table below, along with the search strings we used and the number of possible cybersquatting domains we found.

CompanySearch StringNumber of Cybersquatting DomainsCompanySearch StringNumber of Cybersquatting Domains
Aviancaavianca940LATAM Airlineslatamairlines100
Volarisvolaris659Cubana de Aviacioncubana + air96
Winairwinair618Air Caraibesaircaraibes87
Aerolineas Argentinasaerolineas581Azulvoeazul80
Aeromexicoaeromexico447Caribbean Airlinescaribbean + airlines68
Western Airwesternair247Aruba Airaruba + air54
Bahamasairbahamas+air219InterCaribbean Airwaysintercaribbean44
Copa Airlinescopaair184Cayman Airwayscaymanairways27
Golvoegol107Air Antillesairantilles18

We ran these digital properties on bulk WHOIS and IP lookup tools to perform domain attribution by comparing the results against the IP hosts and WHOIS details of the airline companies’ official domains.

Based on the lookup results, less than 1% of the domains could be publicly attributed to the airline companies whose names appeared in the domains. In addition, only 27 of the total number of cybersquatting domains shared the official domains’ IP hosts. On the other hand, only 11 cybersquatting domains could be attributed to the official domains’ registrants.

While some of these unattributable domains may be owned and operated by travel agencies and other legitimate businesses, others may not be so innocent. In fact, a few of the domains have already been flagged as malicious, while others like the ones shown below hosted questionable content.

Note that these login pages looked different from the official login pages of the imitated airline companies.

Potential Vehicles for Fraud Targeting Digital Wallet Users

Using the names of some of the most popular digital wallets in LAC as search strings on Domains & Subdomains Discovery, we found 5,047 possible cybersquatting domains. The table below shows the digital wallet providers included in the study, the search strings we used, and the number of cybersquatting properties we found.

CompanySearch StringNumber of Cybersquatting DomainsCompanySearch StringNumber of Cybersquatting Domains
Mercado Pagomercadopago2,003Interbancointer261
Yapeyape1,486Itau Unibanco - Itiiti+itau223
PagBank PagSeguropagseguro617Daviplatadaviplata49
PicPaypicpay408

We then retrieved the domains’ WHOIS records and IP geolocation details using Bulk WHOIS Lookup and Bulk IP Geolocation Lookup. Based on the results, we found that only a few of the domains could be publicly attributed to the imitated digital wallet providers. Only eight cybersquatting domains shared the IP hosts of the official domains, while only 12 shared the digital wallet providers’ official registrant names.

About 3.4% of the domains imitating the LAC-based digital wallet providers were also found malicious. Some of these domains continued to resolve albeit to warning content.

Extended Threat Discovery

We found a public email address used to register mercadopagorecargar[.]com, one of the malicious domains. Running this on Reverse WHOIS Search, 59 additional domains were discovered. Eight of the connected domains were malicious, including those imitating DirecTV and Spanish bank BBVA.


One of the many faces fraud takes is a cybersquatting domain that allows threat actors to bank on the reputation of the imitated company to lure victims in. In this study, we focused on LAC-based airlines and digital wallets and found thousands of potential vehicles for fraud. The same could be said for other sectors and regions, making continuous threat discovery and monitoring critical to fraud and cybercrime prevention.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API