Threat Research

A Special Mission to Nowhere

Fortinet
A Special Mission to Nowhere

A phishing campaign exploiting fears during the Israel-Iran conflict offered fraudulent evacuation flights on a fake Embraer Lineage 1000E jet, aiming to steal personal and financial information. The scam involved a suspicious domain and fake booking details, misleading users with unrealistic prices and travel logistics. #OperationRisingLion #lineageembraer.online

Keypoints

  • On June 13, 2025, Israel launched Operation Rising Lion targeting Iranian military and infrastructure, leading to a 12-day conflict and subsequent ceasefire on June 24.
  • FortiGuard Labs detected a phishing campaign exploiting the conflict by registering the suspicious domain lineageembraer[.]online on June 22, 2025.
  • The fake site promoted evacuation flights on an Embraer Lineage 1000/1000E jet with unrealistic pricing and logistics, including a $2,166 seat price and erroneous flight details.
  • The domain used a Gmail address and hosted a travel instruction PDF on a Shopify CDN, undermining legitimacy and indicating fraudulent intent.
  • The advertised flight capacity, range limitations, and incorrect airport information highlighted operational and factual inconsistencies.
  • The scam aimed to harvest high-value personal data such as names, addresses, and passport numbers under the guise of booking verification.
  • Fortinet blocks related malicious activity via IP Reputation and Anti-Botnet services and recommends contacting their Incident Response Team for assistance.

MITRE Techniques

  • [T1566] Phishing – Threat actors launched a phishing campaign using a fake airline booking site to steal personal and financial data (“…launched a phishing campaign to steal personal and financial information from individuals…”).
  • [T1204] User Execution – Users were deceived to click on “Book Now” and provide sensitive personal information (“…users are prompted to submit personal details—including name, address, and passport number…”).
  • [T1071] Application Layer Protocol – The fraudulent site used a mailto link directing emails to lineageembraer[@]gmail[.]com for booking communications (“Clicking the “Book Now” button initiates a mailto: operation addressed to lineageembraer[@]gmail[.]com”).
  • [T1105] Ingress Tool Transfer – The PDF instruction file was hosted and downloaded from a Shopify CDN (“…file is hosted on a Shopify CDN… located at hXXps://cdn.shopify.com/…”).

Indicators of Compromise

  • [Domain] suspicious phishing domain registered June 22, 2025 – lineageembraer[.]online
  • [URL] malicious document hosted on commercial CDN – hXXps://cdn.shopify.com/s/files/1/0945/8889/5563/files/Special_Mission_Flight_Embraer_Lineage_1000E.pdf?v=1750688015
  • [Email] fraudulent contact email for booking – lineageembraer[@]gmail[.]com

Read more: https://feeds.fortinet.com/~/922067897/0/fortinet/blog/threat-research~A-Special-Mission-to-Nowhere

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint