Incident Snapshot

Over the past eighteen months, LATAM Airlines Group has weathered three interconnected waves of brand abuse and phishing:

Flash-sale spoofing on social media (June 2024 → January 2025).
Criminals purchased Facebook/Instagram ads copying LATAM’s Travel Sale graphics and promising “70% off” fares. Links directed users to cloned booking sites hosted on Eastern European VPS providers. LATAM issued a public warning following a spike in consumer complaints on June 19, 2024.

Refund-invoice email fraud (August 2024 → February 2025).
Messages titled “Refund Confirmation” or “LATAM e-Invoice” urged passengers to “confirm bank details” to release a payment. The embedded form collected card numbers and LATAM Pass credentials; complaints on TripAdvisor and FlyerTalk showed dozens of victims by the end of the 2024 holiday season.

Blind Eagle spear-phishing against corporate staff (March → April 2025).
The Colombian APT group C-36 (“Blind Eagle”) focused on aviation, sending emails with a .URL file that leaked NTLMv2 hashes (CVE-2024-43451) before launching AsyncRAT. Transport entities—including LATAM’s Santiago headquarters—were flagged in Kaspersky and CheckPoint reports.

Tactics, Techniques, and Procedures (MITRE ATTACK highlights)

  • Reconnaissance and lure design – tracking hashtags around “Travel Sale,” reusing LATAM’s CSS and color palette.

  • Initial access – paid social redirects to phishing portals; spear-phish with .URL attachments stealing NTLM.

  • Credential theft – real-time reverse proxy kits on fake booking pages.

  • Execution / persistence – AsyncRAT with registry run keys and hidden scheduled tasks.

  • Lateral movement – pivoting through compromised help desk accounts to the ticketing API.

  • Monetization – resale of fake “promotional” tickets and mass transfer of LATAM Pass points to mule accounts.

Business Impact

  • Customers. Internal telemetry (press release, October 2024) cited around 36,000 unique visitors to fake domains during the first week of the flash sale; at least 3,100 payment cards were later flagged for fraudulent reimbursements by issuing banks.

  • Operations. The Blind Eagle intrusion forced a two-day reset of call center and airport agent access passwords, and temporarily froze LATAM Pass self-service redemptions.

  • Regulatory. The Colombian Superintendence of Industry and Commerce opened a data handling investigation after consumer groups filed complaints in January 2025.

Estimated Financial Risk*

  • Chargebacks and involuntary reimbursements (Jun–Dec 2024): ≈ USD $2.9 million

  • Chargebacks and involuntary reimbursements (Q1 2025): ≈ USD $0.8 million

  • Incident response and forensics: ≈ USD $1.6 million (overtime, IR retainer, SMS password reset campaign)

  • PR / goodwill credits to LATAM Pass members: ≈ USD $0.5 million

  • Total direct losses over 18 months:USD $5.8 million

*Estimates combine published reimbursement figures with fraud references from the IATA Fraud Prevention Working Group.

Lessons Learned and Defensive Takeaways

  • Treat paid social media as a critical channel. LATAM pre-registered creative assets in Meta’s “Verified Business” program to streamline takedowns of similar ads.

  • Send “safe shopping” messages during travel sales. A single June 2024 newsletter cut malicious click volume by one-third; add seasonal alerts to the marketing calendar.

  • Disable legacy NTLM transfers. Block outbound SMB/WebDAV where possible and neutralize automatic handling of .URL and .SCF files through group policies.

  • Instrument loyalty fraud analytics. Ticket purchase signals, device fingerprints, and IP reputation should feed a near real-time model: LATAM Pass balances are equivalent to cash.

  • Audit third-party API keys. Compromised vendor credentials briefly exposed the check-in API, showing that vendor systems are now part of the attack surface.

Conclusion

LATAM’s experience shows how basic discount scams can evolve into nation-scale intrusions in under a year. What begins as a fake Facebook ad quickly becomes a credential harvesting email kit and a targeted APT-style phishing attack on corporate staff.

For airlines—and any travel brand—the mandate is clear: assume your logo is already being abused online, and act in hours, not weeks, to stop it. Continuous brand monitoring, aggressive ad platform allowlisting, strict email authentication (SPF, DKIM, DMARC), and loyalty fraud detection are no longer optional add-ons; they are the cost of doing business in Latin America’s rapidly evolving threat landscape.

LATAM Airlines was no exception. Discover how this pattern of fraud is repeated across different companies in the sector, and what Centurio International is doing to contain its spread and protect victims.

Fill out the form to download the full FREE report