By Christopher Elliott
The world’s most popular travel sites have a dark and dangerous side, according to a new study. The timing of this warning, coming just before one of the biggest travel weekends of the year, couldn’t be more appropriate — or troubling.
The survey by domain tools an internet security analysis company, found that several airlines and online booking sites have a constellation of high-risk domains swirling around them. Fraudsters use techniques such as registering domain names with typographical errors or duplicate letters to lure customers away from the real sites. Their favorite tool is an old internet scam called phishing, where they pretend to be the real site and steal your passwords and credit card numbers.
Hackers “aren’t taking time off”
About 38 million Americans will travel this Labor Day weekend, and some of them might fall victim to the most dangerous travel sites, according to DomainTools.
“Hackers aren’t taking any time off this summer,” says Tim Helming, DomainTools’ director of product management. “It’s prime phishing season. You should be on high alert for travel-related scams.”
Among the findings:
✓ Airlines had the largest number of high-risk domain names associated with their brand (American Airlines, for example, had 17 high-risk scams, with 12 of those being found on domain blacklists for malicious activity).
✓ Online travel agencies are the most frequently scammed, with just two sites exhibiting over 30 associated imitative domain names. DomainTools assigns each domain a risk score between 1 and 100. The higher the score, the higher the risk. Expedia and TripAdvisor had over 20 malicious domain names with risk scores of 100 associated with the brands.
✓ With both the airline and travel booking companies, scammers use common domain spoofing techniques, such as adding an extra “s” to the end of TripAdvisor.com or an extra “R” to unitedairlines.com.
The list of the most dangerous travel sites might surprise you. Although it includes a few online travel agencies, the airline industry dominates it. The research suggests that while there’s no quick solution, travelers can take better steps to prevent it. Consumers can take precautions when shopping for travel online, while companies can do more to increase their own security, according to DomainTools.
These are the most dangerous travel sites
To be clear, DomainTools isn’t calling any of these sites the most dangerous travel sites. It issaying that if you misspell one of the names, you could end up on a fraudulent site where criminals will try to rip you off. For obvious reasons, I’m not going to mention any of the high-risk domains by name or link to them from this story.
High-risk domains: 29
Why scammers like it: Because it’s TripAdvisor. Travelers search this site for hotel reviews, often typing the domain name to access it — but not always accurately. “Hackers are betting that consumers will be distracted,” says Helming.
What to look for: Variations of TripAdvisor, such as separating “trip” and “advisor” with a dash, or using an unusual top-level domain, like “.ga,” are common.
High-risk domains: 25
Why scammers like it: It’s an airline, and easily misspelled. Consider Jeremy Cooperstock’s long-running dispute with United over the domain Untied.com, a site so critical of the airline that it sued him to block it.
What to look for: Domains that contain United and “reservations” or “flight ticketing” are popular.
High-risk domains: 19
Why scammers like it: It’s the world’s largest airline.
What to look for: Criminals add terms like “voucher” and “cargo” to the domain name to make it more enticing.
Delta Air Lines
High-risk domains: 11
Why scammers like it: It’s a major U.S. carrier.
What to look for: The bad guys add words like “vouchers” and “tracking” to the word “delta” to make it more attractive to search engines — and victims.
High-risk domains: 8
Why scammers like it: It’s big. “The largest companies are likely to be the most lucrative for scammers seeking to spoof domain names,” says Helming.
What to look for: Common misspellings, like “Expediaa” and “xpedia,” as well as exotic country top-level domains.
High-risk domains: 7
Why scammers like it: Southwest has a reputation for generosity, from including a checked bag in its fares to reasonable fees (or none). That makes it a prime target.
What to look for: If the words “free” or “cheap” are in the domain, chances are it’s a phishing site.
High-risk domains: 6
Why scammers like it: Priceline has long been a magnet for bargain-hunters. Scammers know that they might hook a few victims with a too-good-to-be-true deal.
What to look for: Creative variations on the Priceline name, including adding the words “home,” “flights” and “car rental.”
High-risk domains: 4
Why scammers like it: Alaska is another popular airline for passengers who want a fair price without overpaying.
What to look for: Added words like “ticket” and “miles” set the fake domains apart from the real thing.
How to avoid the most dangerous travel sites
To understand how to avoid these sites, you need to take a deep dive into how DomainTools found the most dangerous travel sites. One of its applications, called PhishEye, flags high-risk domains. DomainTools also has a “proximity to known maliciousness” algorithm to ferret out scammy sites.
The process is fascinating. Once DomainTools identifies a potentially bad domain, it allows you to run sophisticated searches that can detect a single phishing operation across several sites. For example, DomainTools allows you to search by registrar name or IP address, to find out who’s behind a ruse.
The conclusion is inescapable: A vast network of sophisticated scammers are preying on you while you’re online, and particularly when you’re trying to make travel plans.
“Keep your guard up,” advises Helming. “Be aware that we are all potentially susceptible to phishing. You’ll enjoy that holiday a lot more when you know that you didn’t get taken in by a scam.”
He says travelers should practice a “healthy” paranoia about where they go online. His recommendations:
✓ Go direct. When booking travel, consider making a reservation directly through the airline instead of a third-party site. “It’s a safer alternative,” he says.
✓ Educate yourself. Stay up-to-date on the latest scams that circulate through the web. For example: avoid high-pressure tactics: “Book now” or “Only three rooms left” or “Sale ends tonight,” he says.
✓ Stay alert. “Don’t let summer distract you from keeping an eye out for sketchy domains,” says Helming. “Sign up for alerts from the company you booked through, so you’ll know when it’s legit.”
✓ Maintain your own blacklist. Flag “phishy” emails and send those straight to your spam folder. “And think before you click,” he says. “Hover your mouse over any suspicious domain names or links to find out if they’re who they say they are.”
What companies should do about the most dangerous travel sites
Corporate America is all but powerless to stop these fraudulent and dangerous domains, thanks to the open nature of the internet. Helming told me corporations are concerned mostly about their employees clicking on the fraudulent links. The companies can alert local law enforcement when they find a suspicious pattern — and they can work within the legal system to try to shut down the online criminals.
But it’s a cat-and-mouse game, with the criminals seemingly one step ahead of everyone else. Companies can’t protect their customers. And in my experience as a consumer advocate, when customers do fall victim to phishing attacks, corporate America often turns a blind eye to the victims. They tell their customers, “You should have known better.”
And until they find a way to shut down this sophisticated domain-spoofing and phishing operation, there really is only one thing to do: Be careful out there.