Travel organisations are the summer's preferred phishing target

At the end of May, Kaspersky was already warning in a blog: the Travelphishing Season is now open. Since early summer, more and more spammers and phishers around the world have been posing as travel organisations to trick consumers into giving them money and personal data. In many cases, lookalike domain names are used. We wanted to know whether the Netherlands was affected as well, so we carried out our own analysis. Using the Domain Name Surveillance Service, we looked for evidence of issues associated with the names of four of the country's biggest online travel service providers. Were their brand names being abused and, if so, how? What risks were consumers exposed to?

Analysis of four leading brands

Our analysis involved looking for .nl domain names similar to four well-known brands: Sunweb, Corendon, Vakantiediscounter and Prijsvrij. We discovered 617 lookalikes. It's not surprising that there are so many similar names in use, because some of the brands are based on fairly generic Dutch words. Eighty-six of the 617 domain names we found proved to be registered by the brand owners, their holding companies or subsidiaries. Legitimate registrations, in other words, probably made for defensive reasons, or with new services in mind. A further twelve domain names were held by legitimate partner companies, such as local travel agencies (e.g. corendonvliegvakanties.nl).

Five hundred brand name lookalikes

So just over five hundred domain names were unaccounted for. Most resembled the name Sunweb, which is of course based on highly generic words. Many of those had no obvious link to the travel industry. Names such as sumweb.nl or punweb.nl are likely to have quite different associations in a consumer's mind. We didn't find nearly as many domain names resembling Prijsvrij, Corendon or Vakantiediscounter: about forty in each case. A large proportion of them appeared to be trying to cash in on an established brand's reputation, as with wwwprijsvrij.nl.

Lookalikes mainly after advertising revenue

Those domains were being used for fairly benign purposes. Most of the associated webpages simply carried Google ads for the brand itself, which visitors could click to reach the travel company's site. The incentive for setting up a page like that is to earn kickback fees from Google: the travel company pays Google for every visitor who clicks on one of its ads, and the page host gets a cut.

Abuse is often invisible

None of the websites we came across were clearly being used for phishing. However, it's important to remember that we can't tell by scanning a website whether a domain name is being used for spam. And why, for example, is the domain corendonn.nl -- which simply redirects Corendon's own site -- registered to an anonymous party in Luxembourg?

Travel companies are advised to actively monitor for brand abuse

Many of our finds raised the same question: why does a domain with an innocent-looking website have a registrant whose name doesn't match the company name? We certainly can't exclude the possibility that the domains in question have been registered for spamming or phishing. What's more, our scan reveals the picture at a particular moment in time. And the use of a domain can change overnight. Travel companies would therefore do well to actively monitor for brand abuse.

Michiel_Hennekes

Michiel Henneke

Marketing manager

+31 26 352 55 00

marketing@sidn.nl

  • Monday 29 January 2018

    About SIDN

    New batch of internet projects gets the green light

    Thumb+logo+SIDN+fonds

    22 projects start with support from SIDN fund

    Read more
  • Monday 12 November 2018

    Internet security

    Watch out! Fake Tikkie domain name used in scam

    Tikkie-thumb

    Case: Tikkie domain name scam

    Read more
  • Monday 25 March 2019

    About SIDN

    A world where language isn't a barrier

    Thumb-man-writing-on-whiteboard

    Travis Foundation digitises languages to facilitate integration

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.