Phishing Campaign Case Study: Avianca Airlines (2024 - 2025)

Incident Snapshot

Between mid-2024 and spring 2025, Avianca faced three distinct but overlapping waves of phishing activity:

Malicious social media ads (July 2024 → January 2025).
Attackers purchased ads on Instagram and Facebook that perfectly mimicked Avianca’s “flash sale” graphics. Victims who clicked the ads were directed to deceptively similar domains where their credit card data and Life Miles credentials were collected.

"Holiday Refund" email fraud (November 2024 → February 2025).
Messages with subjects like “Tax receipt” or “Refund confirmation” promised fee reimbursements. Links opened a cloned Avianca login page hosted on a compromised WordPress site, stealing passwords and session cookies. Avianca issued a public fraud alert on November 26, 2024.

Blind Eagle spear-phishing (February → March 2025).
The Colombian APT group targeted transport-related entities, sending carefully crafted messages to Avianca staff and elite Life Miles members. The malicious .URL file exploited CVE-2024-43451 (an NTLM leak bug patched just days earlier) to deploy AsyncRAT and Quasar implants.

Tactics, Techniques, and Procedures (MITRE ATT&CK)

• Reconnaissance / lure creation – OSINT on popular flight deal hashtags; cloning Avianca’s CSS and imagery.

• Initial access – malicious ads and spoofed booking portals; spear-phish with weaponized attachments.

• Credential harvesting – web-form skimmers and real-time proxy pages; NTLM hash exfiltration via WebDAV.

• Execution and persistence – AsyncRAT/Quasar deployed with auto-start registry keys.

• Privilege escalation and lateral movement – compromised help desk accounts used to abuse ticketing portal.

• Monetization – resale of “discounted” tickets and illicit transfers of loyalty points.

Business Impact

• Customer consequences. Around 48,000 travelers landed on fake sites during the 2024 peak; issuers later flagged approximately 4,400 payment cards for fraudulent reimbursements.

• Operational disruption. The Blind Eagle intrusion forced a 36-hour reset of all call center agent passwords and temporarily shut down Life Miles redemption self-service.

• Regulatory attention. The Colombian Society of Informatics and Communications (SIC) opened a data handling investigation following a surge in claims in January 2025.

Estimated Financial Exposure

• Refunds and involuntary reimbursements (2024): ≈ USD $3.2 million

• Chargebacks and involuntary reimbursements (Q1 2025): ≈ USD $0.9 million

• Incident response and forensics (2024): ≈ USD $0.6 million

• Incident response and forensics (Q1 2025): ≈ USD $1.1 million

• PR / customer service credits (2024): ≈ USD $0.4 million

• PR / customer service credits (Q1 2025): ≈ USD $0.15 million

• Total direct loss over 18-month period: ≈ USD $6.3 million (not including long-term brand repair).

Lessons Learned and Defensive Takeaways

• Verify paid social campaigns. Adopt BIMI badges, DMARC, and Meta-Verified Business to make clones stand out quickly.

• Institutionalize “safe shopping” communication. The November 2024 fraud bulletin cut malicious click volume by one-third—schedule similar alerts every high season.

• Harden NTLM and legacy protocols. Block outbound SMB/RPC when unnecessary and disable auto-handling of .URL and .SCF files via group policy.

• Treat loyalty points like cash. Combine real-time booking signals, device fingerprints, and IP reputation to detect anomalous Life Miles transactions.

• Reinforce third-party access controls. A single compromised vendor account forced Avianca to shut down its check-in API—proof the vendor ecosystem is now part of the attack surface.

Conclusion

Over eighteen months, Avianca’s experience illustrated a rapid escalation: what began as low-effort social media fraud evolved into an APT-style intrusion attempt. The story reflects a broader Latin American trend: criminal groups iterate quickly, shifting from mass fraud to targeted corporate intrusion as soon as basic spoofing stops paying off.

Airlines and other travel brands should assume their logos are already being misused somewhere online. Early investment in digital trust programs—brand monitoring, aggressive domain takedowns, advertising platform allowlisting, and strong email authentication—offers the best hope of neutralizing threats before they climb the phishing ladder and land in the company’s back office.

Did you know that a vulnerability patched just days earlier was key in an attack against Avianca?

Fill out the form to download the full FREE report and learn how to protect your organization from multi-stage phishing campaigns.