Show Crane Hassold a typical cyber criminal, and he’ll show you someone who is inherently lazy. “As long as the return on investment is good enough, they’re going to put in as little effort as they possibly can,” he says.
That’s why a particularly enterprising phishing scam targeting U.S. travelers ahead of the holiday season has jumped out at him. It works like this: You receive an email from what looks like the Transportation Security Administration, encouraging you to renew your TSA PreCheck membership. You’re grateful for the reminder. The holidays are coming, and you’re worried about long lines at the airport. Besides, you can’t remember the last time you renewed your PreCheck membership. A link in the email leads to an official-looking domain, where you take a few minutes to fill out a form with your personal information and then you make a payment. Unfortunately, the site is run by a scammer in Bulgaria, who now has both your money and your personal information.
“What’s really interesting about this is clearly the amount of time that was spent to actually create not only the email, but also the full website itself,” says Hassold, Director of Threat Intelligence at Abnormal Security, a cloud email security platform. “Usually when we see phishing attacks, it’s pretty clear that the scammers didn’t put a lot of time into it. They’re really focused on volume rather than quality.”
Prior to entering the private sector, Hassold spent 11 years at the FBI, where he helped create the agency’s Cyber Behavioral Analysis Center. After sifting through hundreds of online swindles in his career, he says this is one of the better-executed phishing scams he’s seen.
“I think that most people would look at this and think it looks pretty legitimate,” says Hassold. “Most people don’t have a lot of security awareness training, where they’re taught to look out for certain things. On its own, this looks pretty legit.”
It is not unusual for a PreCheck member to receive a reminder email from the TSA. “Beginning at six months from expiration of TSA PreCheck, TSA will send an email to remind members to begin their renewal process,” says R. Carter Langston, a TSA spokesperson.
So how do you spot a phony? With this fraudulent PreCheck renewal scam, the first big red flag is the sender’s email address.
“Consumers should always verify that the web address they are visiting to register for TSA PreCheck ends in ‘.gov,’” says Langston. “Any website that claims to allow consumers to register for TSA PreCheck that does not end in ‘.gov’ is not an official TSA PreCheck web site and consumers should not provide personal information or payment information.”
With this scam, the sender’s email had the domain immigrationvisaforms.com. “So that’s suspicious,” says Hassold. “If you do some research, that domain has actually been around for a number of years. Usually, when we see phishing emails that are coming from domains registered by the cybercriminal, they were created last week or a couple days ago.” Not so in this case.
Then, if the email recipient clicks the link inside the message, they end up at another site, airportprescreening.com. Legitimate online registration for TSA PreCheck can begin at tsa.gov and will redirect to universalenroll.dhs.gov.
Still, Hassold gives this faux-TSA con high marks for effort and attention to detail. “It’s clear that the scammer behind this attack spent some time to craft an illusion of reality here,” he says. “Most phishing attacks that we see, it’s a single web page that is mimicking something else. In this case, the scammer behind this created a full blown website that has 10 to 20 different pages, all of them with different content. And, again, looks pretty legit.”
In addition, says Hassold, the scammer’s email and website are free from “the low-handing fruit, which are the grammar errors and spelling errors you see in most phishing emails. This is such an interesting scam in that a lot of those red flags are very difficult to spot in this one.”
As part of his research, Hassold went through the phony application process using fake information. “It actually took me a while, maybe three to five minutes,” he says. “They are not only collecting personal information and identification information, but they went through a lot of the normal questions that you would expect to see on these applications.”
As with the legitimate TSA PreCheck renewal process, the scammer asks for payment at the end of the enrollment process, not at the beginning. But there’s a big red flag in this scam, says Hassold. “The scammer gets paid only via PayPal. It actually takes you to a PayPal page where the scammer has actually set up their own account. They don’t take credit card information, but they have all your identification information from earlier in the application.”
Hassold thinks this TSA scam is likely to be quite successful. “I look at these scams every single day, and this is one that I was on the fence asking is this actually legitimate or not?” he says. “It’s pure social engineering. I mean, it’s a full blown, multi-step process. And I think that as you go through that, your defenses probably go down and keep going down.”
Then there’s the timing. “We know that cyber criminals take advantage of certain times during the year, like the holidays,” says Hassold. “With this, since we’re coming up on Thanksgiving and the major travel holidays, this makes perfect contextual sense.”
Registration of TSA PreCheck costs $85 for five years and online renewal costs $70. If you believe you are a victim of a scam, report it to the Federal Trade Commission.