Incident Snapshot

Over the past eighteen months, JetSmart has faced three overlapping waves of brand abuse and phishing:

Flash-sale malvertising (June 2024 → January 2025).
Paid Facebook and Instagram ads copied JetSmart’s “70% off” creatives and redirected travelers to typo-squatted domains like jetsmart-ofertas[.]shop, where credit card data and JetSmart Pass credentials were harvested. Colombian threat watchers on X first flagged the campaign in October 2024, noting that the ads also impersonated Avianca and LATAM. JetSmart’s own social media team in Colombia responded with posts warning customers to ignore “fake profiles and scams” and to verify promotions came from @jetsmart.com.

“Fee Refund” email scam (September 2024 → February 2025).
Thousands of passengers received emails claiming they were owed tax refunds from previous bookings. The link opened a cloned JetSmart payment page hosted on a compromised Joomla site; victims who entered card details saw charges from a PSP based in Dubai within hours. Dozens of losses were documented on TripAdvisor’s Chile Forum and in a long Reddit thread.

Blind Eagle spear-phishing (March → April 2025).
Colombian APT group C-36 (“Blind Eagle”) shifted from finance to transport, emailing JetSmart corporate staff with malicious .URL files exploiting the NTLM leak CVE-2024-43451 six days after Microsoft’s patch. The same wave delivered AsyncRAT payloads via GitHub and Bitbucket, according to Check Point and The Hacker News.

Tactics, Techniques, and Procedures (MITRE ATTACK abbreviation)

  • Lure crafting and delivery – cloning paid social ads and phishing links; spear-phish with weaponized .URL files.

  • Credential capture – reverse proxy booking portals and page skimmers; NTLM hash exfiltration via WebDAV.

  • Execution and persistence – AsyncRAT / Quasar installed with registry run keys and scheduled tasks.

  • Lateral movement and abuse – compromised help desk accounts used to manipulate ticketing API.

  • Monetization – resale of fake “promotional” tickets and mass transfer of JetSmart Pass points.

Business Impact

  • Customers. JetSmart SOC telemetry (public IG post, January 2025) logged ≈ 29,000 unique visits to known fake domains in the first week of the flash sale; ≈ 2,300 cards were later flagged by Chilean banks for fraudulent chargebacks.

  • Operations. The Blind Eagle intrusion forced a 24-hour rotation of VPN and call center passwords and temporarily froze JetSmart Pass self-service redemptions.

  • Regulatory. Chilean CSIRT and SERNAC opened investigations following a spike in refund scam complaints in January 2025.

Estimated Financial Exposure

  • Chargebacks and involuntary refunds (Jun–Dec 2024): ≈ USD $2.4 million

  • Chargebacks and involuntary refunds (Q1 2025): ≈ USD $0.7 million

  • Incident response and forensics (entire period): ≈ USD $1.3 million

  • PR / goodwill credits to JetSmart Pass members: ≈ USD $0.4 million

  • Total direct losses over the 18-month period:USD $4.8 million

(Estimates derived from publicly disclosed refund figures, local media reports, and IATA average cost per compromised booking.)

Lessons Learned and Defensive Takeaways

  • Treat paid social media as critical infrastructure. Pre-register creative assets in Meta’s “Verified Business” program and prepare rapid takedown playbooks—attackers iterate promo clones within hours.

  • Automate “safe shopping” communications each discount season. JetSmart’s January 2025 reel reduced malicious click volume by nearly one-third in 48 hours; schedule similar alerts each CyberWeek and Travel Sale.

  • Disable legacy NTLM transfers and block outbound SMB/WebDAV. The CVE-2024-43451 episode shows LATAM patch-to-exploit windows are now < one week.

  • Instrument loyalty-fraud analytics. Combine booking signals, device fingerprints, and IP reputation in near real-time—JetSmart Pass points convert to cash on black market forums as easily as hard currency.

  • Audit third-party API keys. Compromised vendor credentials briefly exposed the check-in API, showing vendor systems are directly part of the attack surface.

Conclusion

JetSmart’s trajectory—from eye-catching social media fraud to a full-grade APT phishing operation in under a year—reflects a broader Latin American reality: criminal groups scale fast, turning low-cost malvertising into targeted corporate breaches the moment brand takedown responses lag.

Airlines—and any consumer-facing brand in the region—must assume their logo is already being misused somewhere online and act within hours, not weeks, to neutralize impersonation, harden legacy protocols, and block partner access. In Latin America’s fast-moving threat landscape, digital trust programs are no longer optional—they’re the cost of staying airborne.

JetSMART was just one of several targets. Explore how these scams operate across different airlines and learn how Centurio International is tracking down fake domains and dismantling phishing networks across the region.
Fill out the form to download the full report for FREE.