The elusive and wildly popular Burning Man Festival — a weeklong community and art celebration held annually in the Nevada desert—launches its official ticket sales on 26 February. However, Kaspersky experts have uncovered a phishing website dedicated to Burning Man that has been actively selling fake tickets since the end of January for just $225, which is actually about two times less than the cheapest Burning Man tickets officially available.
Phishing—a type of cyberattack aimed at acquiring sensitive data by posing as legitimate organizations—is one of the most popular types of attacks launched by cybercriminals to collect data that can be used to access victims’ financial accounts. Just recently, in Q4 2019, out of the total volume of phishing attacks, 52.61% were attempts to load phishing webpages that sought to steal financial data and accounts at online banks and stores—a 9.42% percent increase from the previous quarter. Popular events like Burning Man, where demand is high and tickets are limited (attendance was capped last year at 80,000), are prime targets.
That’s why Kaspersky experts weren’t surprised when they uncovered the fraudulent website. Visitors are given the opportunity to purchase seemingly official tickets to the Burning Man festival when, in reality, those don’t go on sale until 26 February. As a result, victims are at risk of not only losing several hundred dollars, but also unwittingly giving away personal information like their name, telephone number, and email address, all of which could help cybercriminals launch future attacks.
The homepage is designed as an almost exact replica of the official webpage, but a closer look gives its true identity away: it was registered January 26, 2020 for one year under the name of a private individual rather than a company. In addition, if the victim is from Russia or a CIS country, they are redirected to a local e-currency website where they receive a warning that the payment will be transferred to an individual—rather than any kind of legal entity. Both are highly suspicious considering that Burning Man is a massive project brought together by a large organization based out of the US—where online Russian payment providers are not widely used.
On the left is the official Burning Man website. On the right is a phishing website designed as a near replica.
Users who visit the fraudulent site can purchase a “ticket” for $225. They are then transferred to a “secure” payment page where they can input their card details and complete their purchase. Scammers can then potentially use this personal info and the card details provided to make additional purchases under the card owner’s name or resell the information on the black market to other cybercriminals for various malicious purposes.
“Phishing attacks are popular among cyber criminals for a reason: they’re relatively easy to develop, anyone can fall for one, and they’re hugely profitable. The Burning Man glossary has a word: Obitainium. It means something useful obtained for free. A ticket that’s significantly cheaper than usual is something that, to a certain degree, could seem like an Obitanium to a trustful person. And that’s what fraudsters are counting on in this particular scam. They hope people will take the bait and spend their money for nothing. For those who are planning to attend Burning Man this year, we advise you to triple check that the ticket site is authentic,” says Tatiana Sidorina, security expert at Kaspersky.
Read more about this phishing scam on the Kaspersky Daily Blog.
Here’s what you can do to stay safe from phishing scams, according to Kaspersky experts:
- Do not visit websites until you are sure they are legitimate and start with ‘https’
- Once on a website, check that it is authentic
- Double-check the format of the URL or the spelling of the company name, as well as read reviews and check the domain’s registration data before starting any downloads
- Keep an eye on the official ticket sales announcements
- Subscribe to the Burning Man newsletter, as this is official communication and will deliver the latest news about the event
- Try to know the real ticket value, so you are not tempted to purchase a cheaper option—this is typically too good to be true
- Get a special bank card for purchasing tickets for events and other entertainment activities
- If you receive a link from a friend or a colleague that supposedly takes you to the event page, be sure that they are the ones who actually sent it
- Use a reliable security solution, such as Kaspersky Security Cloud, to protect your devices from a wide range of threats, including phishing activity