Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air

Summary

An unauthorized information disclosure vulnerability that allowed threat actors to access the customer data on the registration page of Akasa Air (akasaair[.]com)
Category: Adversary Intelligence Industry: Transport & Logistics Country: India Source*: A2

Executive Summary

THREAT IMPACT MITIGATION
  • User PII was compromised due to an unauthorized information disclosure vulnerability on the registration page of Akasa Air.
  • No DMARC records are available for the domain.
  • Phishing attacks against affected users.
  • Malicious actors will be equipped with details required to launch sophisticated ransomware attacks.
  • Implement a strong password policy and enable MFA.
  • Publish DMARC records.
  • Patch vulnerable and exploitable endpoints.

Investigative Analysis

  • On 07 August 2022, Ashutosh Barot discovered an unauthorized information disclosure vulnerability that allowed threat actors to access the customer data on the registration page of Akasa Air (akasaair[.]com)
  • Akasa Air, a brand of SNV Aviation Private Limited, is an Indian low-cost airline headquartered in Mumbai, Maharashtra, India.
  • Customer PII such as name, email, phone number, and gender was revealed.

Vulnerability Description

  • The registration page of Akasa Air allowed users to Sign up by providing their name, email, phone number, and gender.
  • After creating the profile and logging in, an HTTP request in the burp responses revealed all of the populated PII in JSON format.
  • Upon changing a few parameters in the burp request, the website revealed the PII of other customers of Akasa Air.
  • Although the airline company fixed the issue within two weeks, threat actors might have exploited it and shared the data on cybercrime forums.

Missing DMARC Records

  • Upon further investigation, CloudSEK’s Threat Intelligence Research team discovered that the DMARC records were missing for the akasaair[.]com domain.
  • DMARC records are text (TXT) records that help to receive servers dealing with non-aligned emails.
  • By default, SMTP doesn’t have any protection against fake “from” addresses.
  • Thus, domains with missing DMARC records can be misused by threat actors, in phishing campaigns, to send out fake emails, by putting the exact domain in the ‘from’ field.
  • Multiple domains such as those mentioned below could be abused in the future to impersonate Akasa Air.
akasaair.club flyakasaair.com akasaair.info
akasaair.org akasaairline.asia akasaair.online
akasaair.net akasaairways.asia akasaairways.net
akasaair.co akasaairline.net akasaair.management
careerakasaair.com
Domains that can be used to impersonate Akasa air
Related Read Overlooked Webhooks Exploit Endpoint Vulnerability in Slack Channels

Possible Future Campaigns

  • The collected PII can be used to conduct multiple malicious campaigns.
  • Fake duplicates of websites and domains associated with Akasa such as akasaindia[.]net or akasaairlinesindia[.]com can be made by threat actors to target the customers using the compromised PII.
  • Compromised individuals could be targeted with malicious emails hiding stealers, botnets, rats, or malware in place of legitimate documents.

Impact & Mitigation

Impact Mitigation
  • Missing DMARC records could allow actors to send fake emails with the domain name of Akasa Air.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data and maintain persistence.
  • Stolen data can be sold on cybercrime forums for monetary benefits.
  • Exfiltrated sensitive PII can be used against the affected individuals, to conduct:
    • Phishing/Smishing
    • Social engineering attacks
    • Identity theft
  • Implement a strong password policy and enable MFA (multi-factor authentication).
  • Set up DMARC records for the domain.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
Related Read Threat Actor Claiming to have Compromised IBM & Stanford University Disclose Their TTPs

References

Appendix

Screenshot of the Sign-up page of Akasa Air
Screenshot of the Sign-up page of Akasa Air
 
An instance of a threat actor sharing PII of individuals from a breach on a cybercrime forum
An instance of a threat actor sharing PII of individuals from a breach on a cybercrime forum
 
Future possible campaigns
Future possible campaigns
 
Alleged email to a customer from Akasa Air
Alleged email to a customer from Akasa Air
   

Table of Contents

Request an easy and customized demo for free