Although fraud is a global issue, some threats may be unique to certain regions. Accertify listed some subtrends specific to Latin America and the Caribbean (LAC), including those involving the airline and digital wallet industries.

WhoisXML API researchers looked into these LAC-specific fraud trends and found:

• 4,500+ cybersquatting domains targeting LAC-based airlines
• 5,000+ cybersquatting domains targeting popular LAC-based digital wallet providers
• Less than 1% of the cybersquatting domains in both industries that could be publicly attributed to the imitated companies
• Several cybersquatting domains that were found malicious, with some hosting phishing content
• A public registrant email address used to register one of the malicious domains that led to a network comprising 60 domains, several of which were also found malicious and imitated well-known companies

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Identifying Possible Fraud Vehicles

When Interpol described how airline ticket fraud works, the organization talked about cybercriminals using professional-looking websites as fronts for selling plane tickets. These tickets were bought using stolen or hacked credit cards and then offered for sale via professional-looking websites at reduced prices. While victims might think they found a great deal, they might eventually lose their tickets and money instead.

Using legitimate-looking websites and domain names to lure victims isn’t unique to airline ticket fraud. Other types of fraud can be carried out using look-alike web properties. Identifying cybersquatting domains targeting airlines and digital wallet providers in LAC can help uncover possible vehicles for fraud.

Potential Vehicles for Airline Fraud

Using Domains & Subdomains Discovery, we found 4,576 domains that bore the names of some of the top LAC-based airlines, including Avianca, Volaris, Winair, Aeromexico, Western Air, and Copa Airlines.

The complete list of airlines is shown in the table below, along with the search strings we used and the number of possible cybersquatting domains we found.

We ran these digital properties on bulk WHOIS and IP lookup tools to perform domain attribution by comparing the results against the IP hosts and WHOIS details of the airline companies’ official domains.

Based on the lookup results, less than 1% of the domains could be publicly attributed to the airline companies whose names appeared in the domains. In addition, only 27 of the total number of cybersquatting domains shared the official domains’ IP hosts. On the other hand, only 11 cybersquatting domains could be attributed to the official domains’ registrants.

While some of these unattributable domains may be owned and operated by travel agencies and other legitimate businesses, others may not be so innocent. In fact, a few of the domains have already been flagged as malicious, while others like the ones shown below hosted questionable content.

Note that these login pages looked different from the official login pages of the imitated airline companies.

Potential Vehicles for Fraud Targeting Digital Wallet Users

Using the names of some of the most popular digital wallets in LAC as search strings on Domains & Subdomains Discovery, we found 5,047 possible cybersquatting domains. The table below shows the digital wallet providers included in the study, the search strings we used, and the number of cybersquatting properties we found.

We then retrieved the domains’ WHOIS records and IP geolocation details using Bulk WHOIS Lookup and Bulk IP Geolocation Lookup. Based on the results, we found that only a few of the domains could be publicly attributed to the imitated digital wallet providers. Only eight cybersquatting domains shared the IP hosts of the official domains, while only 12 shared the digital wallet providers’ official registrant names.

About 3.4% of the domains imitating the LAC-based digital wallet providers were also found malicious. Some of these domains continued to resolve albeit to warning content.

Extended Threat Discovery

We found a public email address used to register mercadopagorecargar[.]com, one of the malicious domains. Running this on Reverse WHOIS Search, 59 additional domains were discovered. Eight of the connected domains were malicious, including those imitating DirecTV and Spanish bank BBVA.

One of the many faces fraud takes is a cybersquatting domain that allows threat actors to bank on the reputation of the imitated company to lure victims in. In this study, we focused on LAC-based airlines and digital wallets and found thousands of potential vehicles for fraud. The same could be said for other sectors and regions, making continuous threat discovery and monitoring critical to fraud and cybercrime prevention.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.