Posted on : May 26 , 2018
Recently, many Indians received a viral message on WhatsApp which promised 2 free tickets to everyone who shared the messages to 20 more people over Whatsapp.
What’s interesting is that Jet Airways is actually celebrating its 25th Anniversary and has contests going on https://25years.jetairways.com/. As this scam message spread rapidly lots of people excitedly shared the messages across everyone.Well! who wouldn’t like free air tickets when the contest is easy and which seems to be direct from the Jet Airway’s site:
jetairways[.]com != jetaırways[.]comThe ‘i’ has been replaced with a Non-Ascii Unicode character ‘ı’ aka ‘LATIN SMALL LETTER DOTLESS I’ (U+0131). Which makes the site name look the same and very hard to notice and differentiate. Such attacks are termed ‘Homograph Attack’, in which the original characters of a domain are replaced with similar looking characters. Also, if one noticed the message properly, the forwarded message doesn’t have a Unique ID corresponding to the person sharing it with others. This is the first time we have observed such scam campaign trying to target an Indian airline, however such campaigns are not new. There have been multiple reports of suck Airline ticket scams outside India like Delta Airlines, Lufthansa, Thai Air, Singapore Airlines, Virgin Atlantic etc. A few other reports on such attacks: https://www.kaspersky.com/blog/free-airline-tickets-scam/17036/ https://www.hoax-slayer.net/free-airline-ticket-scam-post-plaguing-facebook/. As, only A-Z,0-9 and hyphens(-) are allowed in domain registration, domain names with such special unicode alphabets are converted internally to a Punycode representation. The Punycode representation of this Scam domain is:
xn--jetarways-ypb[.]comAt the time of writing this blog, The Scam URL jetaırways[.]com (xn--jetarways-ypb[.]com) has been put On-Hold and has been taken down (probably due to abuse reports). This domain was registered on “2018-05-21” and Whois information is Privacy protected.
hxxp://neuewfarben[.]com/404The domain neuewfarben[.]com was registered on 2017-08-09, and is Privacy protected:
whatsapp://send?text=Jetairways Airline is giving 2 Free Tickets to everyone,To celebrate their 25th Anniversary, Click here to Get yours: hxxp://www[.]jetaırways[.]com/tickets .Once 15 clicks are made, a user can “claim” tickets. None of the clicks or surveys are actually processed. When user clicks on “Claim tickets”, he is redirected to a another site “www[.]sweetfinalz[.]com”. The domain sweetfinalz[.]com was registered in 2018-04-10 and is privacy protected: