Phishing Campaign Case Study: TiquetesBaratos | Travel Agency, Hotel, Flight & Package Booking (2024–2025)

Incident Snapshot

During the 2024–2025 travel boom, the Colombian website TiquetesBaratos | Travel Agency, Hotel, Flight & Package Booking faced three converging waves of brand abuse and impersonation:

Instagram “Hot Sale” Clones – September 2024.
A security blog identified two typosquatted domains promoted through paid social ads that mimicked the site’s red and blue color scheme. Victims who booked through the fake portals submitted credit card details and TiquetesBaratos Pass credentials.

“$49,000 Tickets” Refund Fraud via SMS and WhatsApp – December 2024 → March 2025.
Text messages promised tax refunds or ultra-cheap domestic tickets and led users to similar fake payment pages. Colombia’s Civil Aviation Authority, El Tiempo, and Radioacktiva issued public warnings as complaints surged during the holidays.

Blind Eagle Spear-Phishing – April 2025.
APT-C-36 (Blind Eagle) expanded its transport-sector targeting, sending .URL attachments that leaked NTLMv2 hashes (CVE-2024-43451) to travel sector inboxes, including TiquetesBaratos staff in Bogotá. Kaspersky and The Hacker News confirmed that the campaign deployed AsyncRAT via GitHub after the hash exchange succeeded.

Tactics, Techniques, and Procedures (MITRE ATTACK cribs)

• Phishing through malicious links (Instagram ads, SMS)

• Brand impersonation infrastructure (typosquatted domains, cloned CSS)

• Credential harvesting via web form (reverse proxy payment pages)

• NTLM exfiltration via WebDAV (.URL files from Blind Eagle)

• Persistence via scheduled tasks and run keys (AsyncRAT payload)

• Monetization through loyalty point theft and ticket resale

Business Impact

• Customers. Internal telemetry shared in the company’s January 2025 IG reel recorded ≈ 29,000 visits to known fake domains during the first week of the flash sale; issuing banks later flagged ≈ 2,300 cards for chargebacks linked to fraud.

• Operations. The April 2025 spear-phish triggered a 24-hour reset of VPN and call center passwords and briefly froze Pass-point redemptions while incident response teams purged AsyncRAT beacons.

• Regulatory. Chile’s SERNAC and Colombia’s SIC opened investigations following a rise in refund scam claims.

Estimated Financial Exposure

• Chargebacks and involuntary refunds (Jun–Dec 2024): ≈ USD $2.4M

• Chargebacks and involuntary refunds (Q1 2025): ≈ USD $0.7M

• Incident response and forensic investigation (full period): ≈ USD $1.3M

• Goodwill credits to Pass members: ≈ USD $0.4M

• Total direct losses over 18 months: ≈ USD $4.8M

(Estimates based on the IATA average cost of USD $156 per compromised booking and publicly disclosed reimbursement figures.)

Lessons Learned and Defensive Takeaways

• Treat paid social media as critical infrastructure. Pre-register brand assets in Meta’s Verified Business and maintain a rapid takedown playbook—attackers created credible promo clones in under 48 hours.

• Automate “safe shopping” communications each discount season. The January 2025 IG reel reduced malicious click volume by nearly one-third in two days; schedule similar alerts for each CyberWeek and Travel Sale.

• Disable legacy NTLM transfers and block outbound SMB/WebDAV. Blind Eagle turned a six-day patch window into a credential theft—hardening must precede Patch Tuesday.

• Instrument loyalty fraud analytics. Combine booking signals, device fingerprints, and IP reputation in real time—Pass points convert to cash on black market forums just like hard currency.

• Audit third-party API keys. A compromised vendor token briefly exposed the check-in API, proving that supplier systems are within the attack surface.

Conclusion

TiquetesBaratos’ trajectory—from eye-catching Instagram clones to a spear-phishing APT in under a year—reflects a regional reality: Latin American threat actors iterate fast, turning low-effort malvertising into corporate breaches the moment brand takedowns are delayed.

Any consumer-facing travel brand must now assume its logo is being misused somewhere online and act within hours—not weeks—to neutralize impersonation, harden legacy protocols, and block partner access. In LATAM’s current threat landscape, digital trust programs are no longer optional—they’re the cost of staying in business.

The attack on Cheap Tickets reveals a growing trend. Discover other cases of abuse against brands in the travel industry and how Centurio International is responding with technology, monitoring, and legal action.

Fill out the form to download the full report for FREE.