BadTrip: A chain of fake travel sites abuses search ads to commit fraud and credential theft
Brand impersonation and “cloaked” call-centers scale the scam up to more than 50,000 people. Scammers raking in upwards of $800 per victim.
Successful malvertising campaigns have two key components: cloaking and churn. Normal security efforts will look at a few websites coming from persuasive and commercial ads and conclude they’re probably legit businesses. Scammers exploit this fundamental flaw to scale up their campaigns all while managing to stay undercover among the sea of new domains that might look unrelated at first sight. However, like everything on the Internet, scale is the most expensive cost of every initiative. In code, comfortable scalability costs pattern matching, which in turn costs a scammer its most precious asset: its facade.
I’ll explain. Here’s a seemingly dumb line of code:
When combined with the string “Copyright”, it produces the all-too-familiar copyright at the bottom of every website with the current year: “Copyright 2023” is what it reads today.
Granted, there’s nothing too weird in having that on your landing page. But for us, it provides a key piece of intelligence that informs that this website is probably templated, i.e. it was made from a skeleton that ought to be replaced to fit someone’s specific needs. Many blogs, single-page business sites, and other small enterprises build sites that come from templates. In malvertising, combining template signals with other techniques reveals scale, and when ten websites, each of a different hotel, all look the same, it comes off as fraud.
And in fact, that’s how we came across this attacker. The ads themselves look oddly vague — “call for reservations”, “fast reservations”. No mentioning of brands or purpose. What am I reserving?
When engaged, victims are taken to templated hotel landing pages:
None of the buttons are clickable and nothing is actually reservable from the sites. At the bottom, one dead giveaway these are indeed scams — the addresses, all in Florida, were stolen from real hotels:
So, we asked ourselves, what is the final verdict? With a sense of anticipation, we took that one crucial step, only to be met with overwhelming frustration. It was an abrupt dead end, a crushing blow to our hopes: “The number you called is incorrect or disconnected.” The phone numbers displayed on those websites, mere illusions, nonexistent in reality.
Something was still off. Why would you buy search ads, set up fake hotels pages when your only money-making, conversion avenue is broken? Where’s their so-called “money page”? It had to be a number.
Sure enough, testing the sites on US mobile devices immediately fired up a URN that prompts your device to call the real, shock, cloaked numbers!
Behind the scenes, it’s an HTTP 302 response:
{
"_transferSize": 434,
"status": 302,
"statusText": "Found",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Location",
"value": "tel:+18784330168"
}
]
}And the fun begins. Here’s the transcript of our very pleasant chat with one of the very helpful operators:
0:01
Thank you for calling press 5 to continue.
1:42
Mhm.
1:45
Reservations.
1:47
Hello I would like to make a reservation for a hotel in Portland.
1:56
You would like to book a hotel.
2:03
So you're speaking with the consolidators who help you to book the
reservation for the flight?
2:10
Oh okay.
2:13
I need a flight too.
2:19
Alright and which city you're flying from?
2:22
Newark, New Jersey?
2:28
Okay.
2:30
I'm flying to Portland, Oregon.
2:39
You will fly from John F Kennedy.
2:42
No from Newark, New Jersey.
2:49
And how many people are flying?
2:55
What you are going out?
2:59
next Wednesday that's the 8th.
3:05
Okay.
3:07
I'm coming back the 10th.
3:18
What time you would like to leave out?
3:22
eight a.m. Yes, you want a nonstop flight or with one stop?
3:35
It doesn't matter.
3:38
Okay Give Me one min.
3:47
Sure give me one answer.
3:51
The flight I have which leaves 7 42 AM.
3:59
Give Me one min Please.
4:14
Yeah, the flight would leave 7 42 AM arrives 1 25 PM one stop in Denver for one hour.
4:21
14 minutes.
4:23
Okay and coming back From Portland you leave 1251 pm and arrive 11 29 PM with one stop in Denver for one hour, 29 minutes.
4:42
Okay.
4:42
Sounds good.
4:46
Yeah, you want to fly an economy?
4:51
Yes.
4:54
All economy plus economy is fine.
4:59
Okay.
5:04
The cost for the flight would be $817.48.
5:17
Alright.
5:28
Can you please give me the name of the?
5:31
Yes.
5:32
where would you please remind me what your website address is?
5:36
I think I got you on Google Search.
5:41
I'm sorry.
5:42
Would you please remind me the address, the url of your website?
5:47
What's the address?
5:48
I don't remember.
5:49
I found you on Google Search.
5:51
I think you can call him 800 to 12 to one 1212.
6:09
Okay.
6:11
So that's your phone number?
6:14
Yes.
6:15
Okay.
6:16
And the website, the website.When pressed to repeat their phone, they simply decided to impersonate Delta Airlines’ phone: 1-800–221–1212. The website was never revealed.
At approximately $1.39 per conversion, the scammers manage to reach an average of 55k victims per month through Google Search. While not the cheapest scheme we’ve seen, it is still a highly effective method to gain authority over the keyword “reservation” in ads and entice travelers tripping on their hotel choices.
Sitting more than 9,000 miles away from the United States, a group of shady agents in India is ready to book you, not in hotels in Florida or flights to Colorado, but in a nightmare of fraudulent charges. Contrary to my previous belief, scale on the internet not only provides convenience for attackers but also for victims. The call-to-action in every ad and the redirects to phone URLs are telltale signs. For anxious travelers, a bad trip is just a phone call away.
IOCs
As the cybersecurity leader in detecting and stopping Malvertising attacks, Confiant is leading the charge in protecting users from criminals who hijack the ad tech supply chain. Confiant has unparalleled visibility and insight into the malware, scams, and fraud serving through digital ads.
Find out more at https://www.confiant.com , https://matrix.confiant.com, or MAQ Index Report.
