Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air

An unauthorized information disclosure vulnerability that allowed threat actors to access the customer data on the registration page of Akasa Air (akasaair[.]com)

Updated on

April 19, 2023

Published on

September 2, 2022

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Category: Adversary Intelligence	Industry: Transport & Logistics	Country: India	Source*: A2

Executive Summary

THREAT	IMPACT	MITIGATION
User PII was compromised due to an unauthorized information disclosure vulnerability on the registration page of Akasa Air. No DMARC records are available for the domain.	Phishing attacks against affected users. Malicious actors will be equipped with details required to launch sophisticated ransomware attacks.	Implement a strong password policy and enable MFA. Publish DMARC records. Patch vulnerable and exploitable endpoints.

Investigative Analysis

On 07 August 2022, Ashutosh Barot discovered an unauthorized information disclosure vulnerability that allowed threat actors to access the customer data on the registration page of Akasa Air (akasaair[.]com)
Akasa Air, a brand of SNV Aviation Private Limited, is an Indian low-cost airline headquartered in Mumbai, Maharashtra, India.
Customer PII such as name, email, phone number, and gender was revealed.

Vulnerability Description

The registration page of Akasa Air allowed users to Sign up by providing their name, email, phone number, and gender.
After creating the profile and logging in, an HTTP request in the burp responses revealed all of the populated PII in JSON format.
Upon changing a few parameters in the burp request, the website revealed the PII of other customers of Akasa Air.
Although the airline company fixed the issue within two weeks, threat actors might have exploited it and shared the data on cybercrime forums.

Missing DMARC Records

Upon further investigation, CloudSEK’s Threat Intelligence Research team discovered that the DMARC records were missing for the akasaair[.]com domain.
DMARC records are text (TXT) records that help to receive servers dealing with non-aligned emails.
By default, SMTP doesn’t have any protection against fake “from” addresses.
Thus, domains with missing DMARC records can be misused by threat actors, in phishing campaigns, to send out fake emails, by putting the exact domain in the ‘from’ field.
Multiple domains such as those mentioned below could be abused in the future to impersonate Akasa Air.

akasaair.club	flyakasaair.com	akasaair.info
akasaair.org	akasaairline.asia	akasaair.online
akasaair.net	akasaairways.asia	akasaairways.net
akasaair.co	akasaairline.net	akasaair.management
careerakasaair.com

Domains that can be used to impersonate Akasa air

Related Read Overlooked Webhooks Exploit Endpoint Vulnerability in Slack Channels

Possible Future Campaigns

The collected PII can be used to conduct multiple malicious campaigns.
Fake duplicates of websites and domains associated with Akasa such as akasaindia[.]net or akasaairlinesindia[.]com can be made by threat actors to target the customers using the compromised PII.
Compromised individuals could be targeted with malicious emails hiding stealers, botnets, rats, or malware in place of legitimate documents.

Impact & Mitigation

Impact

Mitigation

Missing DMARC records could allow actors to send fake emails with the domain name of Akasa Air.
It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data and maintain persistence.
Stolen data can be sold on cybercrime forums for monetary benefits.
Exfiltrated sensitive PII can be used against the affected individuals, to conduct:
- Phishing/Smishing
- Social engineering attacks
- Identity theft

Implement a strong password policy and enable MFA (multi-factor authentication).
Set up DMARC records for the domain.
Patch vulnerable and exploitable endpoints.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Monitor cybercrime forums for the latest tactics employed by threat actors.

Related Read Threat Actor Claiming to have Compromised IBM & Stanford University Disclose Their TTPs

References

Appendix

[caption id="attachment_20519" align="aligncenter" width="600"]

Screenshot of the Sign-up page of Akasa Air[/caption] [caption id="attachment_20520" align="aligncenter" width="1215"]

An instance of a threat actor sharing PII of individuals from a breach on a cybercrime forum[/caption] [caption id="attachment_20521" align="aligncenter" width="1920"]

Future possible campaigns[/caption] [caption id="attachment_20522" align="aligncenter" width="1154"]

Alleged email to a customer from Akasa Air[/caption]

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more