We regularly come across scammy websites that wrap a product in some SEO slop and try to make a few dollars off an affiliate link. Most of them are not especially interesting. This one was. What caught our attention was not just that it was monetized, but that it was doing so by impersonating a major airline closely enough that a normal user could easily take it for the real thing.
It started when Huginn, our active phishing discovery system, surfaced spiritairlines.ru. The page looked like a Spirit Airlines homepage clone, though not an up-to-date one. The domain was registered on March 16, 2026 to a private individual through the Russian hosting provider Beget. That does not by itself prove malicious intent, but it was enough to justify a closer look.
Our first read was that this might be a phishing page, but the obvious phishing mechanics were missing. There was no login prompt, no payment form, and no place to enter anything particularly sensitive. The picture got clearer when we used the flight search form. Submitting a search redirected us to Aviasales with the trip details preloaded.
At that point the question changed. This did not look like credential theft. It looked like an airline impersonation page being used to generate affiliate revenue.
How The Redirect Works
A quick look at the source HTML confirmed the monetization path. The search form on the page submits to tpwgts.com/r, which is part of the Travelpayouts affiliate platform, and carries the user into an Aviasales search results page. The important fields are below:
<form action="https://tpwgts.com/r" method="GET" target="_blank">
<input type="hidden" name="marker" value="451735">
<input type="hidden" name="campaign_id" value="100">
<input type="hidden" name="target_host" value="www.aviasales.ru/search">
<input
type="hidden"
name="u"
value="https://www.aviasales.ru/search/NYC3103ORD0704100?currency=rub&language=ru&locale=ru&with_request=true"
>
<input type="hidden" name="page_url" value="https://spiritairlines.ru/">
</form>That is the core mechanic. The site presents itself as an airline booking page, but the booking flow is actually an affiliate redirect into Aviasales via Travelpayouts. In other words, the operator appears to be monetizing traffic by getting users to believe they are interacting with an airline website when they are really being funneled into a travel aggregator.
That distinction matters. We are not claiming here that Aviasales or Travelpayouts are involved in the impersonation. What we are saying is that these domains appear to be using airline branding and deceptively official looking domains to drive affiliate traffic.
More Airline Domains
Out of curiosity, we checked a few other major airlines to see whether this was an isolated case. It was not.
americanairlines.ru redirects to Aviasales with an affiliate identifier in the URL. The domain was registered to a private individual on October 21, 2004. southwestairlines.ru has a similar setup to the Spirit page, although the branding is a bit less specific, and its search form also routes through Travelpayouts to Aviasales. That domain was registered on November 29, 2016 to a private individual. alaskaairlines.ru and frontierairlines.ru use a very similar page template, but at the time we checked they did not expose a working travel search form even though the pages still presented themselves as places to buy tickets.
All of these sites also include disclaimers in the footer. For example: "This project is not affiliated with the airline «Alaska Airlines» and was created for communication between air passengers." Another says: "SpiritAirlines.ru is a reference and partner site for ticket aggregators and is not affiliated with the official website of Spirit Airlines."
Those disclaimers do not fix the problem. They are small, easy to miss, and not visible on page load. The overall impression of the page is still that you are on an airline website. If a user lands on spiritairlines.ru, sees Spirit branding, uses a flight search box, and gets redirected into a booking flow, it is hard to argue that the operator is being upfront about what the site actually is.
What makes this a more interesting case study than the standard fake login page is that it sits in a gray area that is still clearly harmful. The user may still end up on a legitimate travel aggregator and may still buy a real ticket, but they got there through a site that appears designed to borrow the trust of a real airline brand.
We were not able to find anything that ties all these pages to a specific individual, but the strategies seem too similar to be a coincidence. They all use the same monetization method, southwestairlines.ru, alaskaairlines.ru, and frontierairlines.ru were all registered on the same day, and finally all the URLs share the same naming convention. These overlaps suggest the same operator, or a small number of operators copying each other.