scam

  • Sorry to burst your bubble but Air Canada isn't giving away free tickets; neither is JetBlue, EasyJet, Lufthasa or quite possibly any other airline. If you've received a WhatsApp message that looks something like this:

     

     

     

    Then chances are someone who has your phone number stored in their contacts fell for this scam and was instructed to share this message with 20 friends to qualify to get the free tickets. 

     

    At a quick glance, this message might seem to be legit but an immediate give away is the spelling of the website address. 

     

     

    As highlighted in the image above, there is no dot in the 'i' in the spelling of aircanada.

    This is a classic example of Unicode Spoofing or Visual Spoofing although the correct name for this is internationalized domain name (IDN) homograph attack . Yes, quite a mouthful but as the name says, it's an exploit on the fact that characters across different languages look alike. 

     In this particular example, the i without a dot is commonly used in the Turkish language. 

    The second part of this exploit uses website masking where you see one website address in your address bar (in this case http://www.aırcanada.com/tickets ) but you're actually visiting another website

      

    I've noticed that desktop browsers are quicker to pick this up than mobile phone browsers and actually display the masked address. 

     

    So a good test to see if a website could be a scam or not is to check it on your desktop and mobile browser and see if the address changes!

     

    The questions asked on the page are not actually saved anywhere nor is the countdown timer real or the number of tickets remaining. A look at the source code of the page shows that these are all generated and not linked to anything. 

     

    Lastly, what looks like a FaceBook feed with user comments is actually just code on the page to make it look like a FaceBook feed. None of the images, comments are real or come from FaceBook.

     

     

     

    UPDATE: I tried visiting the fake website address a second time and was immediately prompted with this message using Safari Browser on iPhone: 

     

    Upon further investigation, I noticed that the website address was changed as well and now there is another trick in the characters being used.

    See if you can figure out the IDN trick this time:

     

     

    So what happens if you clicked the link? 

    If you were prompted to enter any personal information to 'access your free ticket' then this information could be stored and used in a subsquent attack directed towards you / your email etc. 

    There is also the possibility that by clicking on the link and visiting the site that a malware or virus could have been downloaded to your phone or computer. 

    The best course of action would be to run an anti-virus check on your device and also to run an anti-malware check on your device. 

    If you did enter any personal information, it is advised that you change your password(s) BUT only do so after running the anti-virus and anti-malware checkers on your device. 

    #BeCyberSafeTT