“Jet Airways 25th Anniversary” themed viral scam campaign tricks Indian users

jet-airways-logo



Recently, many Indians received a viral message on WhatsApp which promised 2 free tickets to everyone who shared the messages to 20 more people over Whatsapp.





What’s interesting is that Jet Airways is actually celebrating its 25th Anniversary and has contests going on https://25years.jetairways.com/. As this scam message spread rapidly lots of people excitedly shared the messages across everyone.



Well! who wouldn’t like free air tickets when the contest is easy and which seems to be direct from the Jet Airway’s site:

 


Upon the close observation of the URL Volon research team noticed the dot on the ‘i’ of ‘Jetairways.com’ is missing. So, what does it mean? It’s Simple:
jetairways[.]com != jetaırways[.]com

The ‘i’ has been replaced with a Non-Ascii Unicode character ‘ı’ aka ‘LATIN SMALL LETTER DOTLESS I’ (U+0131). Which makes the site name look the same and very hard to notice and differentiate. Such attacks are termed ‘Homograph Attack’, in which the original characters of a domain are replaced with similar looking characters.

Also, if one noticed the message properly, the forwarded message doesn’t have a Unique ID corresponding to the person sharing it with others.

This is the first time we have observed such scam campaign trying to target an Indian airline, however such campaigns are not new. There have been multiple reports of suck Airline ticket scams outside India like Delta Airlines, Lufthansa, Thai Air, Singapore Airlines, Virgin Atlantic etc.

A few other reports on such attacks:
https://www.kaspersky.com/blog/free-airline-tickets-scam/17036/
https://www.hoax-slayer.net/free-airline-ticket-scam-post-plaguing-facebook/.

As, only A-Z,0-9 and hyphens(-) are allowed in domain registration, domain names with such special unicode alphabets are converted internally to a Punycode representation. The Punycode representation of this Scam domain is:

xn--jetarways-ypb[.]com

At the time of writing this blog, The Scam URL jetaırways[.]com (xn--jetarways-ypb[.]com) has been put On-Hold and has been taken down (probably due to abuse reports). This domain was registered on “2018-05-21” and Whois information is Privacy protected.

whois_screenshot


So, is this campaign really dead?
No!

The person behind this campaign has registered a new domain on “2018-05-21” in ‘.de’ TLD and new campaign with this domains has been started.
jetaırways[.]de (xn--jetarways-ypb[.]de)


Motivation of this campaign?

It is believed that this campaign is targeting to get more traffic to raise revenue via Ad-ware web-apps. Also, it is possible that the campaign may also ask the users to do certain tasks, which may also Include downloading and installing malicious applications on their phones. No username and passwords are presently being phished at present.
Currently, the campaign is targeting only mobile browsers. Upon, opening these sites on desktop browsers, the Javascript on the site redirects to:
hxxp://neuewfarben[.]com/404

The domain neuewfarben[.]com was registered on 2017-08-09, and is Privacy protected:

whois_screenshot_neuewfarben


When a user accesses the site on mobile browser he is asked for 4 fake survey questions:

survey_1

survey_2

survey_3

survey_4



After answering these questions, a new screen is displayed in which the user has to click on the WhatsApp button 15 times to proceed further.

share_button


This Whatsapp button launches the Whatsapp via “whatsapp://” protocol with a Message template:
whatsapp://send?text=Jetairways Airline is giving 2 Free Tickets to everyone,To celebrate their 25th Anniversary, Click here to Get yours: hxxp://www[.]jetaırways[.]com/tickets .

Once 15 clicks are made, a user can “claim” tickets. None of the clicks or surveys are actually processed. When user clicks on “Claim tickets”, he is redirected to a another site “www[.]sweetfinalz[.]com”.

The domain sweetfinalz[.]com was registered in 2018-04-10 and is privacy protected:

whois_screenshot_sweetfinalz


In the end the user is asked to do one of such tasks to view the claimed tickets:

scam_tasks


The domains xn--jetarways-ypb[.]com, xn--jetarways-ypb[.]de and sweetfinalz[.]com are hosted on Heroku apps.



Prevent Cyber Attacks with advance intelligence