The Federal Bureau of Investigation’s (FBI) Cyber Division has issued a notification warning via email on June 15 that unattributed cyber actors are registering numerous domains spoofing legitimate U.S.-based airport websites, indicating the potential for future operational activity.
Spoofed domains mimic legitimate domains by either altering characters within the domain or associating another domain with similar characteristics to the legitimate domain, such as “m1crosoft.com” or “microsoft-software.biz.” Spoofed domains are increasingly used by cyber criminal and state-sponsored groups to propagate the spread of malware, which can lead to further compromise and financial losses. As a result, this activity poses an increased risk not only to U.S. airports but also to the greater U.S. Aviation Sector and its myriad stakeholders.
FBI’s notification included instances of recent activity. As of 5 March 2020, unknown actor(s) registered the domain www.phl-airport.com which closely mirrors that of the legitimate Philadelphia International Airport website (philadelphia.airport.com). The use of “phl” in the domain directly mirrors the airport’s International Air Transport Association code “PHL”. The actor(s) registered the domain using WhoisGuard, a privacy protection services, to anonymize the registration information. Images were used of the airport from publicly available internet image searches.
In late March 2020, unknown actor(s) registered multiple domains possessing the term “Greensboro airport” possibly in an effort to confuse flyers and/or customers. The Piedmont Triad International Airport serves the Greensboro, North Carolina, area.
From March through May 2020, unknown actor(s) registered multiple domains possessing the term “webmail” likely in an effort to spoof legitimate airport email landing pages. For instance, these actors registered the domain “webmail.newark-airport.info.”
FBI is therefore recommending action is taken to mitigate the threat:
- Devise a continuity of operations plan for a potential cyber attack; prioritize the systems most important to continued operations.
- Use e-mail authentication protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), Domain-Based Message Authentication Reporting and Conformance (DMARC), and Sender ID Framework (SIDF).
- Establish a training mechanism to inform end users on proper email and web usage, highlighting current information and analysis, and including common indicators of phishing. End users should have clear instructions on how to report unusual or suspicious emails.
- Regularly patch operating systems, software, and firmware.
- Update anti-malware and anti-virus software and conduct regular network scans.
- Use multi-factor authentication where possible.
- Audit networks and systems for unauthorized remote communication.
- Disable or remove unneeded software, protocols, macros, and portals.
The notification lists several spoof registered domains and email landing pages, all are associated with the same IP address, which is assigned to Hostkey B.v. located in the Netherlands.
Last year, the U.K.’s National Cyber Security Centre revealed that a phishing campaign that used spoof emails from a major U.K. airport to try and steal customer details was one of the biggest cyber threats to British infrastructure in 2018.