Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/30/2020
05:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dark Web Travel Fraudsters Left Hurting From Lockdowns

Shadow travel businesses that depend on loyalty program fraud have been impacted just like the legitimate travel orgs they prey on.

Though the slowdown in global travel hasn't altogether deterred hackers from trying to make a buck off of fraudulent offers and discount schemes that steal from travel loyalty programs, new research out today shows many Dark Web travel agencies are feeling the pain of lockdowns just like the travel industry organizations they target.  

Criminal enterprises that hack the travel industry to sell fraudulent redemption of discounts, rebates, and stolen loyalty points have been evolving for several years now. Back in 2017, Trend Micro researchers published research that showed the broad scope of scamming and thievery that was starting to coalesce in underground markets into a comprehensive bazaar of shadow travel offerings.  

"Fraudulent online transactions involving travel documents, airline and hotel loyalty accounts, and other travel-related services have become valued commodities the past several years," Trend researchers wrote then. "The Dark Web, underground forums, Telegram channels, and even social network postings advertise these services with the intention of providing cheap price tags for those who do not have a problem breaking the law."

Since then, sophisticated discount travel agencies have continued to sprout up on the Dark Web, using various means of fraud to supply them with "product" -- from stealing employee and corporate discount codes to using account takeover (ATO) attacks to control frequent flyer or hotel loyalty accounts containing many accrued miles or points. According to experts at Forter, last year fraud attacks against loyalty programs increased by 89% -- likely driven, at least in part, by shadow travel industry activity.

In February, before the impacts of COVID-19 went fully global, researchers at Digital Shadows' Photon Research Team related observations of a still-thriving Dark Web travel agency marketplace. They explained many of these attackers succeeded by booking last-minute flights to fly under the fraud detection radar and exploited weaknesses in third-party booking services to schedule trips without detection.

Authorities have been working on this problem. For example, in November 2019 an international effort coordinated by Europol, Interpol, Ameripol, and the National Cyber-Forensics & Training Alliance arrested 79 people suspected of fraudulent ticket purchases traveling across numerous worldwide airports. But like any lucrative cybercriminal endeavor, Dark Web agencies have proved to be a hydra with too many heads to count. 

However, every monster has its weakness, and it appears the global pandemic is one of them for shadow travel fraud. Today Photon researchers did an update of their work from February and found Dark Web travel agencies are feeling the pain experienced across the legitimate travel industry. For example, they explained one instance of a fraudster complaining on an online service of work drying up as evidence that many of these agencies have fallen quiet during lockdowns.

"It seems that the shadow travel scene more broadly has demonstrably felt the impact of the COVID-19-prompted downturn," Digital Shadows researchers wrote. "In general, there appear to be far fewer advertisements for such services this time around: For example, there were three times the number of travel-related search results returned on Verified (Dark Web) forum in February 2020 compared to May 2020." 

The question remains how long this lull will last. Photon researchers say they'll be keeping tabs on shadow travel activity as travel restrictions start to ease around the world.

"As travel bans are gradually being lifted and 'air bridges' introduced, especially across Europe, it will be interesting to see how quickly other travel vendors react and resume their advertisements for fraudulent airline tickets, hotel rooms, and the like," they wrote. "Just as interesting will be seeing how many of the previously well-established travel vendors will have been able to weather the storm, and how fast their trade will pick up again."

Related Content:

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20527
PUBLISHED: 2021-04-19
IBM Resilient SOAR V38.0 could allow a privileged user to create create malicious scripts that could be executed as another user. IBM X-Force ID: 198759.
CVE-2021-27028
PUBLISHED: 2021-04-19
A Memory Corruption Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files.
CVE-2021-27029
PUBLISHED: 2021-04-19
The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's Review causing the application to crash leading to a denial of service.
CVE-2021-27030
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
CVE-2021-27031
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.