Deep Analysis of Hospitality Phishing Campaign Shows Global Threat
Editorial and additional commentary by Tricia Howard
Executive summary
Akamai researchers have continued to examine an active sophisticated phishing campaign that is targeting hospitality sites and their customers.
The campaign is a global threat, with a notable amount of DNS traffic seen in Switzerland, Hong Kong, and Canada. We’ve also seen plenty of queries in Italy, Argentina, and Singapore.
Although the campaign was initially thought to have been active only since September 2023, the domain registration shows domain names being registered and queried as early as June 2023.
Introduction
Despite years of awareness and discussion, phishing remains the top cyberthreat to both organizations and individuals. The evolving complexity and laser-focused targeting that can define these campaigns is staggering. We’ve seen these characteristics ourselves in the infrastructure behind a holiday giveaway scam, the crypto giveaway scams, and a hospitality-specific campaign that was discovered in September 2023.
After our initial analysis of the second level of that hospitality campaign, it became clear we needed to dive deeper.
Our unique view of the online landscape
Akamai sees DNS query traffic at a very large scale in a large number of countries worldwide. Many of our customers that deploy Akamai DNS resolvers opt to share anonymized logs with us, which we can then use to perform threat research and analysis, and take measures to protect end -users. This unique view of the online landscape gives us the foundation for a deeper understanding of this phishing campaign.
In this blog post, we will take that deeper dive and examine the DNS queries, traffic, and fully qualified domain names (FQDNs) associated with the IOCs discovered to be part of the campaign.
Domain name clusters
The deeper data analysis starts with our robust internal FQDN stats table, which lists every single FQDN that was observed in the DNS traffic by our team. This table provides further context into the FQDNs, as well, such as timestamp info and further metadata. This allows for a deeper and more accurate analysis when we are drilling into something specific, as we did for this campaign.
Finding patterns
We begin our analysis with the first IP that our threat researchers discovered: 91.215.40[.]30. We can see this belongs to ASN AS57724, which seems to be of Russian origin.
Because we know the campaign has been active since at least early September 2023, we first filter this table for FQDNs that resolved to 91.215.40[.]30 in the past few months (Table 1).
FQDN |
Cluster |
|---|---|
service10.wakkofkznmartyxa3244[.]site |
wakk |
booking.reservation-accept[.]info |
dashed |
booking.com-id2834440[.]info |
.com-id |
service10.wakkofkznmartyxa3244[.]site |
wakk |
booking.id17825117[.]date |
.id |
www.yandex.sberbank.com-id409712[.]com |
.com-id |
booking.id301628951[.]date |
.id |
booking.acquire-transaction[.]cloud |
dashed |
booking.com.id60157261[.]date |
.com.id |
static.wakkofkznmartyxa3244[.]site |
wakk |
booking.com-id2435142[.]info |
.com-id |
service10.wakkofkznmartyxa3244[.]site |
wakk |
booking.check-request[.]info |
dashed |
service10.wakkofkznmartyxa3244[.]site |
wakk |
pay.avito.avito.avito.com-id20341[.]info |
.com-id |
Table. 1: Sample of FQDNs that resolved to 91.215.40[.]30
Although some of these FQDNs follow more typical combosquatting techniques, such as adding in the keyword “reservation”, there are also some that are nonsensical to a human, such as “wakkofkznmartyxa3244.”
As you can see in Table 1, there are some pretty clear visual patterns in the FQDNs. We can now group the FQDNs into clusters based on combosquatting technique or, in the case of the unintelligible ones, based on a sample of the FQDN’s text. We identified five clusters: wakk, dashed, .id, .com-id, and .com.id.
Using the patterns
Once we identified those clusters, we then designed regex patterns to further analyze them. These allowed us to filter our data and produce aggregated stats for each of the clusters. We also join WHOIS data for the domains within the clusters (Table 2).
Cluster. |
Cluster size. |
Popularity |
First registered |
First seen |
Last seen |
Example subdomain |
Example domain |
|---|---|---|---|---|---|---|---|
wakk |
1 |
10x |
2023-06-14 |
2023-06-15 |
still going |
service10. |
wakkofkznmartyxa3244[.]site |
dashed |
10+ |
1x |
2023-07-16 |
2023-07-18 |
2023-09-03 |
booking. |
reservation-accept[.]info |
.id |
10+ |
1x |
2023-08-17 |
2023-08-18 |
still going |
booking. |
id11853502[.]date |
.com-id |
10+ |
1x |
2023-09-06 |
2023-09-07 |
still going |
avito.sber. |
com-id02349[.]info |
.com.id |
10+ |
1x |
2023-09-06 |
2023-09-08 |
still going |
booking.com. |
id60157261[.]date |
Table 2: Aggregated stats for FQDN clusters
To understand Table 2, we need to define each column.
Cluster size: The number of domain names we see within each cluster; each cluster (except the ‘wakk’ cluster) contains dozens of different domain names that all look similar and follow the same pattern
Popularity: The relative query count that each of these clusters is seeing
First registered: The oldest registration date of all the domains within the cluster according to the WHOIS data
First seen: The date that we observed the first DNS query to any of the domains within the cluster according to our internal DNS query logs; We noticed that each of the domains popped up on our radar just 1 or 2 days after they were first registered
Last seen: The date when we last saw the cluster appearing in the DNS traffic
Example subdomain: An example of a subdomain within the cluster that was queried
Example domain: A single random domain name from within the cluster
What the data says
Each of the domains popped up on our radar just 1 or 2 days after they were first registered. The first one we observed was the ‘wakk’ cluster, which was registered in June 2023.
The ‘wakk’ domain is seeing the largest number of DNS queries by far — approximately 2.5x more DNS queries than all of the other four clusters combined. This contrast can indicate that it is being used for redirection or as a hub of some sort.
Considering that this campaign has multiple target layers (the first being the hotel, the second being the guests of said hotel), it’s troubling to see that all four of the other clusters are still active as of the publication date of this blog post, with the exception of the ‘dashed’ cluster. That particular cluster had the earliest registration dates, but we stopped seeing queries to this cluster on September 3, 2023.
Phasing out the cluster that creates the most risk
From this data, we infer that originally the ‘dashed’ cluster was being used, but then the threat actor decided to phase out that cluster and continue with the other three clusters. The fact that traffic to the ‘dashed’ cluster stopped on September 3 and the earliest domain names in the .com-id and .com.id clusters were registered on September 6 adds credibility to this idea. The ‘dashed’ cluster also had the most “traditional” scam domain makeup, which could have increased the risk of detection by threat hunters or others.
While the cluster is inactive, the queries keep coming in through the .id, .com-id, and .com.id clusters.
The ‘dashed’ cluster currently uses two or three words from the following dictionary connected through a dash, and uses the TLDs .com, .date, .info, .cloud, and .site:
acceptacquire
approve
booking
check
confirm
confirmation
guest
process
request
reserve
reservation
safe
secure
transaction
The three other clusters can be roughly captured with the following regex patterns applied to the FQDNs, although you will likely want to further filter the results by an IP address range.
- .id cluster
.*\.id\d{4,9}\.(com|top|date|email|info|site|cloud)$ .com-id cluster
.*\.com-id\d{4,9}\.(com|top|date|email|info|site|cloud)$- .com.id cluster
.*\.com\.id\d{4,9}\.(com|top|date|email|info|site|cloud)$
Expansion to other IP addresses
The analysis above specifically addressed FQDNs resolving to 91.215.40[.]30. However, it is possible (if not probable) that there are more IP addresses composing this campaign. Using the regex patterns that we designed to capture the different clusters, we queried the raw FQDN stats table to find if there are any other IPs involved.
We found identical clusters resolving to 91.215.40[.]22, which is part of the same ASN as 91.215.40[.]30. It is this analysis that led to this IP address being part of the IOC list in our original post.
A global threat
From a regional perspective, we see the majority of DNS traffic originating from Switzerland, Hong Kong, and Canada. We also see plenty of queries in Italy, Argentina, and Singapore. The global nature of this phishing campaign is another demonstration of the elaborate infrastructure composing these scams. It also makes this campaign more difficult to track as it is not targeting a specific country or region.
While there is geographically specific DNS traffic, we don’t see any country-code top level domains (TLDs), such as .ru. We only observed the generic TLDs, such as .com, .top, .date, .email, .info, .site, and .cloud.
At the subdomain level, we see various brand names being used in improper ways. Sometimes the brand's TLD is:
The first level subdomain, such as in booking.com.id60157261[.]date
The start of the domain name, such as in booking.com-id2435142[.]info
Missing, such as in booking.id17825117[.]date
We can summarize these three methods as combinations of levelsquatting and combosquatting techniques.
In addition to booking.com, we see a number of brands that are commonly seen in Russia, such as avito, sber, sberbank, and yandex. This is interesting because using those common Russian brands would only seem to make sense if the campaign is targeting Russian users — unless there is some reverse psychology at play here, and that falsehood is exactly what the threat actors want us to believe.
WHOIS analysis
Let’s look at some WHOIS data for domain names inside the clusters we found.
We found that the majority of domains have NameSilo as registrar. The most common contact listed in the WHOIS data of these domains is PrivacyGuardian. PrivacyGuardian is part of NameSilo. It seems that the malicious actors registered these domain names through NameSilo and then used the PrivacyGuardian feature to keep their identity hidden.
We also found domain names registered through other registrars. Among those, not surprisingly, most of the WHOIS contact details are empty or include random names.
Furthermore, we found several domain names inside each cluster that received DNS queries but (according to WHOIS data) were never actually registered. It seems to us that the malware being installed on the devices of hotel employees is trying to reach out to command and control addresses and simultaneously reaching out to a variety of domains until a successful connection is established.
Conclusion
Using just DNS and WHOIS data helped us get high-level insights on a currently active phishing campaign. The campaign seems to have a global reach and currently involves five different clusters of domain names spread out over seven TLDs. We’ve identified patterns that can be used to capture these clusters. Through these patterns, we were able to confirm that there are currently two IP addresses involved in this campaign: 91.215.40[.]30 and 91.215.40[.]22.
We noted that some of the campaign’s deceptive tactics involve the usage of cybersquatting techniques, such as levelsquatting and combosquatting. Further, we discovered that threat actors may be attempting to make it appear as though only Russian users are being targeted by using a large number of Russian brands in this campaign.
Stay tuned
You can find our breaking security research in real time by following us on Twitter.
