Security researchers at Skurio Ltd have warned employees and customers of Thomas Cook to be vigilant after it detected the registration of 53 Thomas Cook-related domains in the week after the travel operator went into receivership.

Phishing Risk

The risk is that cyber-criminals may be seeking to exploit a search for information from customers and staff affected by the company’s collapse to launch phishing attacks.  For example, Thomas Cook-related domains that have been registered but don’t have a holding page or landing-page on them could be used to create a legitimate-looking email address as part of phishing attempts.

German Site

One of the Skurio analysts, John Evans, reported finding a .de Thomas Cook-related domain that hosted a page that pretended to be a legitimate business, but was using the Thomas Cook likeness to make money from customer refund claims.

25% Just Piggybacking

The Skurio researchers found that 25% of the domains registered appeared to be just simply piggybacking off the collapse of Thomas Cook, and were using their domains to simply redirect to other websites.

Holding Pages + Advert Clicks

The researchers discovered that 50% of the recently registered domains had holding pages for websites on platforms like Wix or WordPress (awaiting a full live site).  Some other domains were discovered to be used for ad clicks and ad revenue e.g. with adverts for booking a new holiday or finding jobs for Thomas Cook employees.

Thomas Cook Contracted Skurio

Skurio were monitoring the Thomas Cook-related domain situation because (as reported by Skurio) Thomas Cook, had contracted Skurio, long before its collapse, to monitor surface, deep and Dark Web sources in order to provide early data breach detection services.  It was as part this service Skurio was scanning for new domain registrations relating to Thomas Cook services.   According to Scurio, this scanning involved looking for domains set up with subtle spelling errors or additional terms that a customer may expect to see, in order send phishing emails, create fake social media accounts or capture customer details online.

What Does This Mean For Your Business?

It is not uncommon for cyber-criminals to launch campaigns to take advantage of a popular information search by customers after events such as a high-profile security breach or company collapse.  This is because people may let their guard down and may simply not suspect such an underhand tactic, which is the kind of human error based on emotion that cyber-criminals are counting on.

Phishing attacks are all-too-common, and a recent APWG report showed that phishing attacks continued to rise in summer of 2019, with cyber-criminals focusing branded webmail and SaaS providers.

Companies can help guard against phishing attacks by educating and training all staff to be able to spot possible fraudulent tactics, and by encouraging and empowering them to question and refer any suspicious activity that could help to protect the business. Having clear systems for staff to follow, including carefully verifying any new payment requests before authorising them, and continuously promoting online vigilance can be well worth the effort in the fight against phishing, and the generally increasing number of social engineering attacks that companies are facing.