Though the slowdown in global travel hasn't altogether deterred hackers from trying to make a buck off of fraudulent offers and discount schemes that steal from travel loyalty programs, new research out today shows many Dark Web travel agencies are feeling the pain of lockdowns just like the travel industry organizations they target.
Criminal enterprises that hack the travel industry to sell fraudulent redemption of discounts, rebates, and stolen loyalty points have been evolving for several years now. Back in 2017, Trend Micro researchers published research that showed the broad scope of scamming and thievery that was starting to coalesce in underground markets into a comprehensive bazaar of shadow travel offerings.
"Fraudulent online transactions involving travel documents, airline and hotel loyalty accounts, and other travel-related services have become valued commodities the past several years," Trend researchers wrote then. "The Dark Web, underground forums, Telegram channels, and even social network postings advertise these services with the intention of providing cheap price tags for those who do not have a problem breaking the law."
Since then, sophisticated discount travel agencies have continued to sprout up on the Dark Web, using various means of fraud to supply them with "product" -- from stealing employee and corporate discount codes to using account takeover (ATO) attacks to control frequent flyer or hotel loyalty accounts containing many accrued miles or points. According to experts at Forter, last year fraud attacks against loyalty programs increased by 89% -- likely driven, at least in part, by shadow travel industry activity.
In February, before the impacts of COVID-19 went fully global, researchers at Digital Shadows' Photon Research Team related observations of a still-thriving Dark Web travel agency marketplace. They explained many of these attackers succeeded by booking last-minute flights to fly under the fraud detection radar and exploited weaknesses in third-party booking services to schedule trips without detection.
Authorities have been working on this problem. For example, in November 2019 an international effort coordinated by Europol, Interpol, Ameripol, and the National Cyber-Forensics & Training Alliance arrested 79 people suspected of fraudulent ticket purchases traveling across numerous worldwide airports. But like any lucrative cybercriminal endeavor, Dark Web agencies have proved to be a hydra with too many heads to count.
However, every monster has its weakness, and it appears the global pandemic is one of them for shadow travel fraud. Today Photon researchers did an update of their work from February and found Dark Web travel agencies are feeling the pain experienced across the legitimate travel industry. For example, they explained one instance of a fraudster complaining on an online service of work drying up as evidence that many of these agencies have fallen quiet during lockdowns.
"It seems that the shadow travel scene more broadly has demonstrably felt the impact of the COVID-19-prompted downturn," Digital Shadows researchers wrote. "In general, there appear to be far fewer advertisements for such services this time around: For example, there were three times the number of travel-related search results returned on Verified (Dark Web) forum in February 2020 compared to May 2020."
The question remains how long this lull will last. Photon researchers say they'll be keeping tabs on shadow travel activity as travel restrictions start to ease around the world.
"As travel bans are gradually being lifted and 'air bridges' introduced, especially across Europe, it will be interesting to see how quickly other travel vendors react and resume their advertisements for fraudulent airline tickets, hotel rooms, and the like," they wrote. "Just as interesting will be seeing how many of the previously well-established travel vendors will have been able to weather the storm, and how fast their trade will pick up again."
Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.