Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/30/2020
05:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dark Web Travel Fraudsters Left Hurting From Lockdowns

Shadow travel businesses that depend on loyalty program fraud have been impacted just like the legitimate travel orgs they prey on.

Though the slowdown in global travel hasn't altogether deterred hackers from trying to make a buck off of fraudulent offers and discount schemes that steal from travel loyalty programs, new research out today shows many Dark Web travel agencies are feeling the pain of lockdowns just like the travel industry organizations they target.  

Criminal enterprises that hack the travel industry to sell fraudulent redemption of discounts, rebates, and stolen loyalty points have been evolving for several years now. Back in 2017, Trend Micro researchers published research that showed the broad scope of scamming and thievery that was starting to coalesce in underground markets into a comprehensive bazaar of shadow travel offerings.  

"Fraudulent online transactions involving travel documents, airline and hotel loyalty accounts, and other travel-related services have become valued commodities the past several years," Trend researchers wrote then. "The Dark Web, underground forums, Telegram channels, and even social network postings advertise these services with the intention of providing cheap price tags for those who do not have a problem breaking the law."

Since then, sophisticated discount travel agencies have continued to sprout up on the Dark Web, using various means of fraud to supply them with "product" -- from stealing employee and corporate discount codes to using account takeover (ATO) attacks to control frequent flyer or hotel loyalty accounts containing many accrued miles or points. According to experts at Forter, last year fraud attacks against loyalty programs increased by 89% -- likely driven, at least in part, by shadow travel industry activity.

In February, before the impacts of COVID-19 went fully global, researchers at Digital Shadows' Photon Research Team related observations of a still-thriving Dark Web travel agency marketplace. They explained many of these attackers succeeded by booking last-minute flights to fly under the fraud detection radar and exploited weaknesses in third-party booking services to schedule trips without detection.

Authorities have been working on this problem. For example, in November 2019 an international effort coordinated by Europol, Interpol, Ameripol, and the National Cyber-Forensics & Training Alliance arrested 79 people suspected of fraudulent ticket purchases traveling across numerous worldwide airports. But like any lucrative cybercriminal endeavor, Dark Web agencies have proved to be a hydra with too many heads to count. 

However, every monster has its weakness, and it appears the global pandemic is one of them for shadow travel fraud. Today Photon researchers did an update of their work from February and found Dark Web travel agencies are feeling the pain experienced across the legitimate travel industry. For example, they explained one instance of a fraudster complaining on an online service of work drying up as evidence that many of these agencies have fallen quiet during lockdowns.

"It seems that the shadow travel scene more broadly has demonstrably felt the impact of the COVID-19-prompted downturn," Digital Shadows researchers wrote. "In general, there appear to be far fewer advertisements for such services this time around: For example, there were three times the number of travel-related search results returned on Verified (Dark Web) forum in February 2020 compared to May 2020." 

The question remains how long this lull will last. Photon researchers say they'll be keeping tabs on shadow travel activity as travel restrictions start to ease around the world.

"As travel bans are gradually being lifted and 'air bridges' introduced, especially across Europe, it will be interesting to see how quickly other travel vendors react and resume their advertisements for fraudulent airline tickets, hotel rooms, and the like," they wrote. "Just as interesting will be seeing how many of the previously well-established travel vendors will have been able to weather the storm, and how fast their trade will pick up again."

Related Content:

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20619
PUBLISHED: 2021-01-19
Cross-site scripting vulnerability in GROWI (v4.2 Series) versions prior to v4.2.3 allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2020-29450
PUBLISHED: 2021-01-19
Affected versions of Atlassian Confluence Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the avatar upload feature. The affected versions are before version 7.2.0.
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.