Travel organisations are the summer's preferred phishing target
At the end of May, Kaspersky was already warning in a blog: the Travelphishing Season is now open. Since early summer, more and more spammers and phishers around the world have been posing as travel organisations to trick consumers into giving them money and personal data. In many cases, lookalike domain names are used. We wanted to know whether the Netherlands was affected as well, so we carried out our own analysis. Using the Domain Name Surveillance Service, we looked for evidence of issues associated with the names of four of the country's biggest online travel service providers. Were their brand names being abused and, if so, how? What risks were consumers exposed to?
Analysis of four leading brands
Our analysis involved looking for .nl domain names similar to four well-known brands: Sunweb, Corendon, Vakantiediscounter and Prijsvrij. We discovered 617 lookalikes. It's not surprising that there are so many similar names in use, because some of the brands are based on fairly generic Dutch words. Eighty-six of the 617 domain names we found proved to be registered by the brand owners, their holding companies or subsidiaries. Legitimate registrations, in other words, probably made for defensive reasons, or with new services in mind. A further twelve domain names were held by legitimate partner companies, such as local travel agencies (e.g. corendonvliegvakanties.nl).
Five hundred brand name lookalikes
So just over five hundred domain names were unaccounted for. Most resembled the name Sunweb, which is of course based on highly generic words. Many of those had no obvious link to the travel industry. Names such as sumweb.nl or punweb.nl are likely to have quite different associations in a consumer's mind. We didn't find nearly as many domain names resembling Prijsvrij, Corendon or Vakantiediscounter: about forty in each case. A large proportion of them appeared to be trying to cash in on an established brand's reputation, as with wwwprijsvrij.nl.
Lookalikes mainly after advertising revenue
Those domains were being used for fairly benign purposes. Most of the associated webpages simply carried Google ads for the brand itself, which visitors could click to reach the travel company's site. The incentive for setting up a page like that is to earn kickback fees from Google: the travel company pays Google for every visitor who clicks on one of its ads, and the page host gets a cut.
Abuse is often invisible
None of the websites we came across were clearly being used for phishing. However, it's important to remember that we can't tell by scanning a website whether a domain name is being used for spam. And why, for example, is the domain corendonn.nl -- which simply redirects Corendon's own site -- registered to an anonymous party in Luxembourg?
Travel companies are advised to actively monitor for brand abuse
Many of our finds raised the same question: why does a domain with an innocent-looking website have a registrant whose name doesn't match the company name? We certainly can't exclude the possibility that the domains in question have been registered for spamming or phishing. What's more, our scan reveals the picture at a particular moment in time. And the use of a domain can change overnight. Travel companies would therefore do well to actively monitor for brand abuse.