A new report out today from phishing defense company Cofense Inc. is warning of a new phishing campaign that is exploiting immigration arrival card processes to steal personal data.

The phishing campaign is targeting travelers to Singapore by exploring a requirement by the country for visitors to file an arrival card submission online but is not limited to Singapore alone, with the same attackers said to also now be targeting people visiting Malaysia and the U.K. as well.

It has been a trend among various countries to require online arrival information or other details to enter the given country, even when passport holders can enter the given country without a visa. The U.S. has a similar system called the Electronic System for Travel Authorization going back to 2008.

In the case of Singapore, the attackers are using phishing emails that are designed to appear official to warn travelers about incomplete immigration documents and the risk of denied entry. The link in the emails leads victims to a fraudulent website that closely mimics legitimate government portals, including pre-filled forms containing stolen personal information, making them seem even more convincing.

Once on the fake site, victims provide login credentials and payment details, which are immediately exfiltrated.

“A particularly sophisticated aspect of this attack is the option to edit information on the Checkout page, which reveals prepopulated personal information about the victim,” the researchers explain. “It has been confirmed that some of the prepopulated data is legitimate.”

The researchers added that “this level of detail suggests a highly targeted approach and that the personally identifiable data may have been purchased from the dark web, thus making the attack both unique and alarming. Reports of data breaches at organizations containing relevant information such as Philippine passport data make it even more likely that the stolen information was purchased online.”

With travelers being targeted via growingly common international travel requirements, with countries such as Thailand set to implement similar requirements later this year, those traveling should exercise caution when receiving unsolicited immigration-related emails, even if they appear legitimate.

As with all emails where personal data may be involved, best practices include verifying URLs manually, avoiding clicking links in emails and ensuring that sensitive transactions are conducted only through official government websites. As phishing attacks become more advanced, all people should remain vigilant to avoid falling victim to these increasingly targeted threats.

Image: SiliconANGLE/Ideogram