The tourism industry is a lucrative target for cybercriminals who seek to obtain and sell stolen travel points, hotel rewards, and airline credentials. According to a report by Check Point Research, the rise of global and regional threat actors targeting online travel and hospitality customers is alarming.
Cybercriminals are targeting travelers by offering alternative pathways for travelers to cut back on expenses while on vacation. They do this by selling stolen reward points, using stolen credentials to create travel agencies, and using phishing and malspam scams. The goal of this article is to highlight the different ways cybercriminals are targeting online travel and hospitality customers while providing tips on how to stay safe.
Reward Points that are not Your Own
One method that cybercriminals use to scam travelers is offering stolen credentials of hotel and airline accounts that have accumulated reward or flight points. These stolen credentials are offered for free or for sale on hacking Darknet forums. Cybercriminals also use a dedicated brute forcing tool to steal accounts from Radisson Hotel, for example, with the end goal of accessing accounts with reward points or linked payment cards.
Stolen Accounts with Reward and Flight Points
According to the Check Point Research report, an American Airlines account holding 1,500,000+ points was sold for $435. Cybercriminals are also offering a tool to brute force accounts and obtain captured points, such as the one for Radisson accounts.
Travel Agents Selling Reduced Prices Tickets
Cybercriminals are also creating travel agencies on Russian hacking underground markets. These agencies offer flight tickets and hotel bookings at 45-50% discounted prices. However, these deals are ordered using stolen accounts from hotels, airlines, and other travel-related websites. The advertisement appears on the Darknet and is originally in Russian. They offer tickets for worldwide destinations except for Russia, with a minimal order of $325.
Phishing a Better Deal
Phishing scams remain a major technique used by cybercriminals to lure users into providing their details, especially their financial details. This is a way for them to steal funds and generate fraudulent transactions. In this report, Check Point Research provided examples of two cases where cybercriminals impersonate legitimate firms to lure their victims. They show a phishing website for the Vietnam Airline website, which offers deals and information, inviting buyers to book trips. This was presented under a lookalike domain. There was also a malspam campaign sent to victims claiming they won a reward in the name of SouthWest Airline Company.
Protecting from Online Travel Scams
- Wary of Deals Too Good
Scammers often use enticing deals to lure in unsuspecting travelers. If a deal seems too good to be true, it probably is. Nobody will sell you a 50% off ticket price.
- Secure Payment Methods
When booking a trip online, use a secure payment method such as a credit card or PayPal. These methods offer protection against fraudulent charges and make it easier to dispute any unauthorized transactions.
- Check for HTTPS
When making any online transaction, including booking a trip, make sure the website has HTTPS in the URL. This indicates that the website has an SSL certificate, which means the data you enter is encrypted and secure.
- Check Web Addresses
Another easy way to identify potential phishing attacks is to look for mismatched email addresses, links, and website domains. If an email appears to be from an airline company but has a different email address, it is most likely a phishing email. The same goes for web addresses.
The tourism industry is a highly targeted area for cybercriminals looking to make a profit from unsuspecting travelers. With the rise of global and regional threat actors targeting online travel and hospitality customers, it is crucial to stay vigilant when booking a trip online. Cybercriminals use stolen credentials, reward points, and other tactics to steal personal information, financial details, and identity. To protect yourself while booking a trip, always use reputable travel booking websites, double-check email and web addresses, and avoid clicking on suspicious links or attachments. Additionally, it’s essential to keep your devices and software up-to-date, use strong passwords and two-factor authentication, and be wary of unsolicited emails or calls asking for personal information. By taking these precautions, you can help keep your information safe and enjoy your travels with peace of mind.