Another week, another scam. This week’s scam of the week is a spoof of Qatar Airways. The scam is a typical phishing scam.
The Qatar Airways Scam Email
The email used the usual tricks of phishing. It tried to lure me into clicking a link by saying:
“Thank you for booking with Qatar Airways…
We have received your booking under reference 7912-278”
The reference number was linked to the spoof site. The scammer was hoping that either:
- I had recently booked a flight with Qatar Airways and so will want to check my booking;
- I click the link thinking there must be a mistake as I’ve not booked anything – am I going to lose money; or,
- I will click the link thinking I have been a victim or fraud.
Any of these responses is a win for the scammer as I would click the link.
How I Knew it was a Phishing Email
This was not a very good attempt at phishing so it was quite obvious to me it was a scam – here is how I could tell:
- The ‘from’ email address, although it said Qatar Airways LLC when expanded to see inside the < > it showed this address – firstname.lastname@example.org
The email address used indicates that the phishing email was sent from a hijacked account. I checked what the Return-Path” or “Reply-To” SMTP header was using the email source. This was also email@example.com which suggests the scammer has authenticated access to this account.
2. The email had a link to enquiries if you believe this email was sent in error. Hanging my cursor over the link which was visible, showing
showed the URL as actually being
http:// agab.club/ advisabilityt.html – clearly NOT Qatar Airways
(DO NOT CLICK OR TRY TO GO TO THIS LINK)
NOTE: All of the links in the email, and there were several including in the sign off box, went to this website
3. The email was poorly branded
4. There was no salutation whatsoever
Some Notes on Scam Email Addresses
Qatar Airways have specific guidance on fraudulent emails. As with most brand names, Qatar Airways has been and will continue to be, a great brand for cybercriminals to use as phishing bait. Qatar Airways specifically say that they will only send emails with the following domains: @firstname.lastname@example.org /@qr.qmiles.com.
However, phishers should never be underestimated. They know that people are busy and when they do check, it may be a cursory glance. So, a tenacious scammer will create a domain that is very similar to the real domain. For example, @qatarairways.com.qa could be changed to @qatara1rways.com or @qetarairweys.com
At a glance, the scammer may well get away with even a fairly vigilant email check.
Analysis of the URL
When pushing the URL through analysis we saw that the site was set to make registry key changes on a Windows machine. Analysis using another tool showed no malware present, but the site had been blacklisted.
Qatar Airways advice on receiving a spoof email that looks like it is from the company is to
“If you receive this email, please delete it immediately and do not respond.”
Further details on the type of email Qatar Airways do send is on their website.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Qatar Airways Phishing Scam
If you receive an email from Qatar Airways about a flight you have booked– DO NOT CLICK ANY LINKS IN THE EMAIL.
There is a scam going around which is using the Qatar Airways brand to trick recipients. If you have indeed booked a flight with the airline, go to the website of the company by manually typing in the URL or using a bookmark.
Don’t forget to share this with your colleagues and friends and help them stay safe.
Let’s keeping breaking scams!