INKY uncovered a widespread Southwest Airlines credential harvesting phishing campaign that uses newly created domains to lure victims via a fake survey and gift-card offer. The scam escalates from impersonation and enticing branding to a credential-harvesting page, with attackers using shady domains like listednet.su and offerregistry.su to host the attack. hashtags: #SouthwestAirlines #Phishing #CredentialHarvesting #INKY #BetterTechDevices #ListedNetSU
Keypoints
- The campaign impersonates Southwest Airlines and started mid-December, with phishing emails from newly created domains.
- Emails offer a $100 gift card and direct recipients to a malicious survey landing page that impersonates the airline.
- The landing page uses branding, deadlines, and other cues to appear legitimate, including a risky domain (listednet.su).
- After completing the survey, victims are directed to a page that harvests credentials (including personal and payment information).
- Example paths include selecting items (e.g., a smartwatch) that lead to a fake domain like bettertechdevices.com, followed by shipping/payment prompts.
- The campaign relies on multiple subject lines, display names, and sender addresses to maximize reach and avoid detection.
- Guidance provided includes inspecting sender addresses and display names and recognizing brand impersonation and data harvesting signs.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Phishing emails impersonate Southwest and direct recipients to a malicious landing page; “The emails offered a $100 gift card and other special rewards for those willing to take a survey.”
- [T1583.001] Acquire Infrastructure: Domains – Attackers use newly registered domains to host phishing content; “phishing emails are being sent from newly created domains, set up explicitly for these attacks.”
- [T1036] Masquerading – Brand impersonation to make emails look like they come from a legitimate source; “Brand impersonation — uses elements of a well-known organization to make an email look as if it came from a legitimate source.”
- [T1552.001] Credentials in Web Form – Landing page collects credentials via a form after the user reaches it; “After clicking ‘Claim Watch Now’, you’ll be taken to a different page that asks for your mailing address and a credit card to pay for the shipping.”
Indicators of Compromise
- [Domain] Domains used in the campaign – listednet.su, offerregistry.su, and bettertechdevices.com
- [Email Address] Sender addresses associated with the campaign – [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] (and 1–8 more addresses)
- [Domain] Malicious landing-page domains referenced in the campaign – offerregistry.su, listednet.su (and related infrastructure domains)
Read more: https://www.inky.com/en/blog/fresh-phish-southwests-flying-phish-takes-off-with-your-credentials