The Cofense Phishing Defense Center has reported an increase in phishing emails masquerading as communications from US Customs and Border Protection regarding the Electronic System for Travel Authorization (ESTA). These emails create urgency and fear to trick users into providing personal information through a fraudulent website. The emails utilize convincing language and similar email addresses but are sent through a third-party service. Affected: US Customs and Border Protection, travel and immigration sectors
Keypoints :
- Increase in phishing emails related to ESTA amidst immigration confusion.
- Emails impersonate US Customs and Border Protection, creating urgency for users to apply for ESTA.
- Emails use convincing language and subtle techniques to appear legitimate.
- Fraudulent links redirect users to fake ESTA application portals.
- Illegitimate site collects personal identifiable information and payment details.
- Users are charged a fee significantly higher than the official ESTA fee.
- Recommendations include verifying URLs and sender addresses before responding.
MITRE Techniques :
- Phishing (T1566) – Users receive fraudulent emails that impersonate US government emails, aiming to harvest personal information.
- Credential Dumping (T1003) – The illegitimate ESTA site collects personal and sensitive information, including credit card details.
- Social Engineering (T1203) – Exploiting users’ fear and urgency regarding immigration services to convince them to provide sensitive data.
Indicator of Compromise :
- [URL] hXXps://a40hk[.]r[.]a[.]d[.]sendibm1[.]com/
- [IP] 179.112.197
- [IP] 179.112.196
- [IP] 179.112.195
- [URL] hXXps://esta-cbp-gov[.]com/application/
Full Story: https://cofense.com/blog/decoding-fake-us-esta-emails-scam-or-real-deal