Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/30/2020
05:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Dark Web Travel Fraudsters Left Hurting From Lockdowns

Shadow travel businesses that depend on loyalty program fraud have been impacted just like the legitimate travel orgs they prey on.

Though the slowdown in global travel hasn't altogether deterred hackers from trying to make a buck off of fraudulent offers and discount schemes that steal from travel loyalty programs, new research out today shows many Dark Web travel agencies are feeling the pain of lockdowns just like the travel industry organizations they target.  

Criminal enterprises that hack the travel industry to sell fraudulent redemption of discounts, rebates, and stolen loyalty points have been evolving for several years now. Back in 2017, Trend Micro researchers published research that showed the broad scope of scamming and thievery that was starting to coalesce in underground markets into a comprehensive bazaar of shadow travel offerings.  

"Fraudulent online transactions involving travel documents, airline and hotel loyalty accounts, and other travel-related services have become valued commodities the past several years," Trend researchers wrote then. "The Dark Web, underground forums, Telegram channels, and even social network postings advertise these services with the intention of providing cheap price tags for those who do not have a problem breaking the law."

Since then, sophisticated discount travel agencies have continued to sprout up on the Dark Web, using various means of fraud to supply them with "product" -- from stealing employee and corporate discount codes to using account takeover (ATO) attacks to control frequent flyer or hotel loyalty accounts containing many accrued miles or points. According to experts at Forter, last year fraud attacks against loyalty programs increased by 89% -- likely driven, at least in part, by shadow travel industry activity.

In February, before the impacts of COVID-19 went fully global, researchers at Digital Shadows' Photon Research Team related observations of a still-thriving Dark Web travel agency marketplace. They explained many of these attackers succeeded by booking last-minute flights to fly under the fraud detection radar and exploited weaknesses in third-party booking services to schedule trips without detection.

Authorities have been working on this problem. For example, in November 2019 an international effort coordinated by Europol, Interpol, Ameripol, and the National Cyber-Forensics & Training Alliance arrested 79 people suspected of fraudulent ticket purchases traveling across numerous worldwide airports. But like any lucrative cybercriminal endeavor, Dark Web agencies have proved to be a hydra with too many heads to count. 

However, every monster has its weakness, and it appears the global pandemic is one of them for shadow travel fraud. Today Photon researchers did an update of their work from February and found Dark Web travel agencies are feeling the pain experienced across the legitimate travel industry. For example, they explained one instance of a fraudster complaining on an online service of work drying up as evidence that many of these agencies have fallen quiet during lockdowns.

"It seems that the shadow travel scene more broadly has demonstrably felt the impact of the COVID-19-prompted downturn," Digital Shadows researchers wrote. "In general, there appear to be far fewer advertisements for such services this time around: For example, there were three times the number of travel-related search results returned on Verified (Dark Web) forum in February 2020 compared to May 2020." 

The question remains how long this lull will last. Photon researchers say they'll be keeping tabs on shadow travel activity as travel restrictions start to ease around the world.

"As travel bans are gradually being lifted and 'air bridges' introduced, especially across Europe, it will be interesting to see how quickly other travel vendors react and resume their advertisements for fraudulent airline tickets, hotel rooms, and the like," they wrote. "Just as interesting will be seeing how many of the previously well-established travel vendors will have been able to weather the storm, and how fast their trade will pick up again."

Related Content:

 

 

 

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183