Travel organisations are the summer's preferred phishing target

At the end of May, Kaspersky was already warning in a blog: the Travelphishing Season is now open. Since early summer, more and more spammers and phishers around the world have been posing as travel organisations to trick consumers into giving them money and personal data. In many cases, lookalike domain names are used. We wanted to know whether the Netherlands was affected as well, so we carried out our own analysis. Using the Domain Name Surveillance Service, we looked for evidence of issues associated with the names of four of the country's biggest online travel service providers. Were their brand names being abused and, if so, how? What risks were consumers exposed to?

Analysis of four leading brands

Our analysis involved looking for .nl domain names similar to four well-known brands: Sunweb, Corendon, Vakantiediscounter and Prijsvrij. We discovered 617 lookalikes. It's not surprising that there are so many similar names in use, because some of the brands are based on fairly generic Dutch words. Eighty-six of the 617 domain names we found proved to be registered by the brand owners, their holding companies or subsidiaries. Legitimate registrations, in other words, probably made for defensive reasons, or with new services in mind. A further twelve domain names were held by legitimate partner companies, such as local travel agencies (e.g.

Five hundred brand name lookalikes

So just over five hundred domain names were unaccounted for. Most resembled the name Sunweb, which is of course based on highly generic words. Many of those had no obvious link to the travel industry. Names such as or are likely to have quite different associations in a consumer's mind. We didn't find nearly as many domain names resembling Prijsvrij, Corendon or Vakantiediscounter: about forty in each case. A large proportion of them appeared to be trying to cash in on an established brand's reputation, as with

Lookalikes mainly after advertising revenue

Those domains were being used for fairly benign purposes. Most of the associated webpages simply carried Google ads for the brand itself, which visitors could click to reach the travel company's site. The incentive for setting up a page like that is to earn kickback fees from Google: the travel company pays Google for every visitor who clicks on one of its ads, and the page host gets a cut.

Abuse is often invisible

None of the websites we came across were clearly being used for phishing. However, it's important to remember that we can't tell by scanning a website whether a domain name is being used for spam. And why, for example, is the domain -- which simply redirects Corendon's own site -- registered to an anonymous party in Luxembourg?

Travel companies are advised to actively monitor for brand abuse

Many of our finds raised the same question: why does a domain with an innocent-looking website have a registrant whose name doesn't match the company name? We certainly can't exclude the possibility that the domains in question have been registered for spamming or phishing. What's more, our scan reveals the picture at a particular moment in time. And the use of a domain can change overnight. Travel companies would therefore do well to actively monitor for brand abuse.

  • Tuesday 26 June 2018

    Internet security

    Hackman reaches a Dutch audience of half a million


    Celebrity hack proves an effective vehicle for raising internet security awareness

    Read more
  • Wednesday 14 March 2018

    About SIDN

    Warning: fake invoices going around


    Don't get caught and report all incidents

    Read more
  • Wednesday 25 July 2018

    SIDN Labs

    How is IPv6 support measured for the Registrar Scorecard?


    How we go about it

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.