Travel organisations are the summer's preferred phishing target

The holiday season has started

At the end of May, Kaspersky was already warning in a blog: the Travelphishing Season is now open. Since early summer, more and more spammers and phishers around the world have been posing as travel organisations to trick consumers into giving them money and personal data. In many cases, lookalike domain names are used. We wanted to know whether the Netherlands was affected as well, so we carried out our own analysis. Using the Domain Name Surveillance Service, we looked for evidence of issues associated with the names of four of the country's biggest online travel service providers. Were their brand names being abused and, if so, how? What risks were consumers exposed to?

Analysis of four leading brands

Our analysis involved looking for .nl domain names similar to four well-known brands: Sunweb, Corendon, Vakantiediscounter and Prijsvrij. We discovered 617 lookalikes. It's not surprising that there are so many similar names in use, because some of the brands are based on fairly generic Dutch words. Eighty-six of the 617 domain names we found proved to be registered by the brand owners, their holding companies or subsidiaries. Legitimate registrations, in other words, probably made for defensive reasons, or with new services in mind. A further twelve domain names were held by legitimate partner companies, such as local travel agencies (e.g.

Five hundred brand name lookalikes

So just over five hundred domain names were unaccounted for. Most resembled the name Sunweb, which is of course based on highly generic words. Many of those had no obvious link to the travel industry. Names such as or are likely to have quite different associations in a consumer's mind. We didn't find nearly as many domain names resembling Prijsvrij, Corendon or Vakantiediscounter: about forty in each case. A large proportion of them appeared to be trying to cash in on an established brand's reputation, as with

Lookalikes mainly after advertising revenue

Those domains were being used for fairly benign purposes. Most of the associated webpages simply carried Google ads for the brand itself, which visitors could click to reach the travel company's site. The incentive for setting up a page like that is to earn kickback fees from Google: the travel company pays Google for every visitor who clicks on one of its ads, and the page host gets a cut.

Abuse is often invisible

None of the websites we came across were clearly being used for phishing. However, it's important to remember that we can't tell by scanning a website whether a domain name is being used for spam. And why, for example, is the domain -- which simply redirects Corendon's own site -- registered to an anonymous party in Luxembourg?

Travel companies are advised to actively monitor for brand abuse

Many of our finds raised the same question: why does a domain with an innocent-looking website have a registrant whose name doesn't match the company name? We certainly can't exclude the possibility that the domains in question have been registered for spamming or phishing. What's more, our scan reveals the picture at a particular moment in time. And the use of a domain can change overnight. Travel companies would therefore do well to actively monitor for brand abuse.

  • Monday 27 May 2019

    Internet security

    Bits of Freedom makes privacy law work in practice


    My Data Done Right: a new tool for generating personal data requests

    Read more
  • Monday 25 March 2019

    About SIDN

    A world where language isn't a barrier


    Travis Foundation digitises languages to facilitate integration

    Read more
  • Friday 8 November 2019

    .nl domain name

    Registry locks: great potential but little current demand


    About 150 .nl domain names now secured with .nl Control

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.