Cybersecurity firm Flashpoint says that rewards points make an all-too tempting target for criminals looking to turn a profit.
No longer content with stealing bank account details or personal information, it seems that fraudsters are now angling for passengers’ travel rewards points. In a recent blog post, cybersecurity firm Flashpoint says that it has “observed Deep & Dark Web chatter pertaining to the exploitation of rewards points programs, especially those associated with travel.”
It adds that, “This chatter aligns with cybercriminals’ interest in fraudulent booking services for hotels, airline tickets, and car rentals—all of which have proliferated in various underground communities over the past several years.” Scammers, says the firm, are normally able to access passengers’ rewards points via an account that has been compromised.
As an additional advisory, Flashpoint explains that, “Cybercriminal abuse of rewards points has also been facilitated by the development of brute forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined. After obtaining a user’s password through brute forcing, cybercriminals can potentially access any rewards points associated with the compromised accounts.”
Once they have access, criminals then steal rewards points and, in order to make money, set up bogus travel sites that offer deeply discounted hotels, flights and services.
These kinds of scams are known to be widespread among certain English, Spanish and Russian-speaking cybercriminals, but despite the authorities attempting to crack down on darknet vendor sites such as Alphabay and Hansa, it is likely that this kind of illicit activity will continue.
Those looking to protect themselves, says Flashpoint, should practice what it calls “stringent password hygiene”. “Since brute forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity,” it advises.