Threat Actors Leverage Brand Impersonation for Rewards Fraud, Credential Harvesting Campaigns, and Online Gambling Platforms

Summary

Threat actors increasingly leverage airline brand impersonation to facilitate sophisticated reward fraud and illicit online gambling schemes, according to a report published by Help Net Security. Analysis of over 11,000 domains reveals a high-volume ecosystem where keywords such as “rewards” and “points” serve as primary lures for loyalty credential harvesting. Additionally, malicious operators exploit airline prestige to drive traffic to unauthorized gambling platforms promising “VIP” bonuses and casino incentives. These campaigns are capitalizing on peak travel cycles and service disruptions to maximize victim conversion rates through high-urgency social engineering.

Technical Analysis

Malicious threat actors are registering thousands of lookalike domains using keyword combinations such as “flight,” “rewards,” and “VIP” to intercept legitimate search traffic through aggressive SEO manipulation, according to a associated report from BforeAI’s PreCime platform team. These infrastructures facilitate reward fraud by mimicking official loyalty program logins to exfiltrate points, payment data, and sensitive PII from travelers. In the gambling sector, attackers utilize airline-branded keywords to redirect users toward fraudulent betting sites that solicit cryptocurrency wallet connections or direct deposits under the guise of “traveler bonuses.” Technical observations indicate a shift toward DevOps-style pre-loading, where domains remain dormant for aging before rapid activation within hours of a public airline incident. Many of these sites utilize specialized top-level domains such as “[.]vip” and “[.]luxury” to project an aura of exclusivity for high-value charter and gambling scams. The integration of live-updated elements ensures the lures remain relevant to the visitor’s specific timing and regional context.

Mitigation Strategies

BforeAI’s PreCime platform has provided the following organizational mitigation strategies to combat this brand impersonation campaign:

1. Preemptively track newly registered domains that misuse popular tech names (e.g., ChatGPT, airline brands) to create misleading credibility. Flag and report suspected abuse.
2. Launch awareness campaigns highlighting common scams using AI buzzwords and impersonation of airline services, especially during the peak season.
3. Work with hosting providers and registrars to initiate takedowns of fraudulent or suspicious lookalike sites.
4. Create watchlists around future events (e.g., FIFA 26, Olympics, AI Summits, government launches) to catch pre-registration trends. Domains mimicking future products or services are often registered months in advance and used when public attention peaks.
5. Recognizing that prioritizing vendor-jacking is a major BEC threat, implement mandatory, multi-person verification procedures for all changes to vendor payment information, invoices, or other high-value financial requests to ensure sensitive actions are not taken just over emails.