Affected Platforms: N/A
Impact: Theft of PII and Banking Details
Severity Level: Medium

On June 13, 2025, Israel launched a sweeping pre-emptive operation targeting Iran’s military leadership, conventional military sites, air defenses, and nuclear infrastructure. The campaign was dubbed Operation Rising Lion by the Israeli government and military. Last month, Fortinet published a blog detailing the new realities of cyber warfare highlighted by this recent conflict.

What followed was a 12-day exchange of strikes and counterstrikes between the two countries, resulting in significant damage and widespread fear and uncertainty among civilians caught in the middle. Following US involvement through Operation Midnight Hammer, a ceasefire was announced and has so far been maintained.

In the aftermath, FortiGuard Labs has identified what appears to be an attempt to exploit this crisis. Threat actors, using fear of renewed violence, launched a phishing campaign to steal personal and financial information from individuals seeking to flee the hostilities.

Initial Finding

FortiGuard Labs tooling detected the domain “lineageembraer[.]online” being registered on June 22, 2025. It looks to have been brought online very shortly thereafter.

Figure 1. WhoIs record for “lineageembraer[.]online”.

The domain stood out due to its reference to Embraer, a well-known Brazilian aerospace manufacturer. The “Lineage” designation refers to the Embraer Lineage 1000 and 1000E, which are business jets from the company’s E190 commercial airliner platform. While marketed as VIP transport, the aircraft are relatively rare, expensive to operate, and often associated with airlines, charter companies or high-net-worth individual use. This made the domain’s use in the context of an emergency evacuation offer especially suspicious.

Landing Page

Upon inspection, the site displays an image of a business jet’s tail section and engine nacelle, accompanied by a banner reading “SPECIAL MISSIONS.”

Figure 2. Landing page for “lineageembraer[.]online”.

The landing page includes a prominent “Book Now” button, offering users a seat for $2,166 USD. A total of 18 seats are listed as available, roughly matching the passenger capacity of an Embraer Lineage 1000 or 1000E.

In the page footer, the following travel details are displayed:

Departure: June 26, 2025
Tel Aviv – Ben Gurion to New York – Teterboro
Seats are extremely limited

An additional button labeled “Instruction[sic]” is also presented, which will be touched on below.

Digging Deeper

The certificate was generated using Google Trust Services and appears to have only been made valid from the go-live date and time through to September 20, 2025.

Figure 3. Start of the certificate chain for “lineageembraer[.]online”.

Notably, the page footer references a June 26 departure date, which was two days after the ceasefire took effect on June 24, 2025. This suggests the site’s operators either overlooked the ceasefire or assumed that some individuals might still be seeking to leave the region for safety or personal reasons. While that alone doesn't confirm malicious intent, it adds to the overall suspicion.

Clicking the “Book Now” button initiates a mailto: operation addressed to lineageembraer[@]gmail[.]com. There is no open-source intelligence linking this email address to any legitimate entity, and it appears to have been created solely to match the fake domain.

Clicking the “Instruction[sic]” button triggers the download of a PDF containing travel instructions. Interestingly, this file is hosted on a Shopify CDN (content delivery network), an unusual choice for legitimate aviation or charter services. The file is located at:

hXXps://cdn.shopify.com/s/files/1/0945/8889/5563/files/Special_Mission_Flight_Embraer_Lineage_1000E.pdf?v=1750688015

The use of commercial infrastructure, such as Shopify's CDN, for a high-priced international charter service further undermines the credibility of the site.

As shown in Figure 4, the site presents what appears to be a “premium” evacuation service. While the postal code and city listed—Bristol, UK—are real, the absence of a house or building number raises red flags. The postal code corresponds to a small residential neighborhood with only about a dozen homes, making it highly unlikely to be the legitimate base of operations for an international charter service.

The flight is advertised as departing from Ben Gurion Airport in Tel Aviv and arriving at Teterboro Airport, which the site incorrectly lists as being in New York. In reality, Teterboro is approximately 12 miles (19.3 kilometers) from Manhattan in the US state of New Jersey.

To complete the booking, users are prompted to submit personal details—including name, address, and passport number—with payment instructions to follow, contingent on the operators determining that the requester is “serious.” This vetting approach likely serves to create a false sense of legitimacy while selectively harvesting high-value identity data.

Further Analysis

The logistical and financial inconsistencies in the offer further support the conclusion that this is not a legitimate service.

The aircraft model advertised for the flight, a Lineage 1000E, is extremely rare. Fewer than a dozen were ever produced before Embraer ceased manufacturing the model in 2019. While some are configured for VIP transport, securing one on short notice during a regional conflict would be highly improbable.

Operational limitations also raise doubts. The Lineage 1000E has a maximum range of approximately 4,600 nautical miles, while the direct distance from Tel Aviv to Teterboro is around 5,700 nautical miles. This would require at least one stop for refueling, complicating the feasibility of a nonstop evacuation flight as claimed.

Finally, the advertised price of $2,166 USD per seat is unrealistically low for what is described as a high-end charter. By comparison, a commercial first-class ticket from Tel Aviv to New York for the following Thursday, July 3, 2025, is priced between £5,085 (approximately $6,976.70 USD) and £6,014 (approximately $8,251.30 USD). The stark difference in pricing raises serious doubts about the legitimacy of the offering and strongly suggests fraudulent intent.

Figure 5. Google search showing comparable flight costs.

While that price gap is hard to ignore, it becomes even more unrealistic when you factor in the cost of an actual charter. Based on our research, flying a Lineage 1000E on a long-haul route like this would typically run well over $10,000 USD per seat. That includes fuel, crew, landing fees, and the premium involved in sourcing a rare aircraft during a crisis.

Offering seats at $2,166 would only be feasible with substantial backing from a government, NGO, or corporate sponsor, none of which are present. With no visible affiliations or credible context, the service appears to be a well-crafted scam. All indicators suggest a fraudulent operation aimed at stealing personal data or extracting money from individuals under pressure.

Conclusion

Unfortunately, history shows that even in times of conflict, there are always those willing to exploit fear and desperation. In this case, the indicators all strongly suggest this is an attempt to steal identity data, financial details, and possibly funds from individuals seeking to escape a volatile situation.

Fortinet Protections

FortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

Network-based IOCs

hXXps://lineageembraer[.]online
hXXps://cdn.shopify.com/s/files/1/0945/8889/5563/files/Special_Mission_Flight_Embraer_Lineage_1000E.pdf?v=1750688015