Missing DMARC Records Increases the Possibility of Phishing Campaigns Against Akasa Air
September 2, 2022
Transport & Logistics
User PII was compromised due to an unauthorized information disclosure vulnerability on the registration page of Akasa Air.
NoDMARC records are available for the domain.
Phishing attacks against affected users.
Malicious actors will be equipped with details required to launch sophisticated ransomware attacks.
Implement a strong password policy and enable MFA.
Publish DMARC records.
Patch vulnerable and exploitable endpoints.
On 07 August 2022, Ashutosh Barot discovered an unauthorized information disclosure vulnerability that allowed threat actors to access the customer data on the registration page of Akasa Air (akasaair[.]com)
Akasa Air, a brand of SNV Aviation Private Limited, is an Indian low-cost airline headquartered in Mumbai, Maharashtra, India.
Customer PII such as name, email, phone number, and gender was revealed.
The registration page of Akasa Air allowed users to Sign up by providing their name, email, phone number, and gender.
After creating the profile and logging in, an HTTP request in the burp responses revealed all of the populated PII in JSON format.
Upon changing a few parameters in the burp request, the website revealed the PII of other customers of Akasa Air.
Although the airline company fixed the issue within two weeks, threat actors might have exploited it and shared the data on cybercrime forums.
Missing DMARC Records
Upon further investigation, CloudSEK’s Threat Intelligence Research team discovered that the DMARC records were missing for the akasaair[.]com domain.
DMARC records are text (TXT) records that help to receive servers dealing with non-aligned emails.
By default, SMTP doesn’t have any protection against fake “from” addresses.
Thus, domains with missing DMARC records can be misused by threat actors, in phishing campaigns, to send out fake emails, by putting the exact domain in the ‘from’ field.
Multiple domains such as those mentioned below could be abused in the future to impersonate Akasa Air.