Cybercriminals from Russia are reported to be taking five-star holidays at knockdown prices using reward points stolen from unwitting Britons.
The fraudsters buy flights, hotels and car-hire at discounts of up to 75% from crooked ‘travel agents’ on the dark web, who have obtained them using reward points and air miles hacked from airline user accounts and bank accounts.
These intermediaries have sleek online stores resembling those of legitimate agents, and grateful customers post photos and reviews of their illegally subsidised trips, according to The Times.
Flashpoint, the research company that revealed the trade, said that the problem was so serious that one US-based bank with British customers had quietly blocked the purchase of flights in Russia using its rewards scheme.
Flashpoint specialises in monitoring activity on the dark web, a part of the internet promising anonymity and dealing in bitcoins. It is widely used for the sale of drugs and stolen property.
The middlemen in the ploy typically deal in sales of flights above $500 or hotel bookings above $200, saying that their margins would be too small otherwise. Customers often buy business-class flights and stay in four and five-star hotels, according to the report.
Comments on internet forums such as Reddit and Flyertalk detail the stories of British victims, such as a couple who found their Avios points had been used to pay for a room in Spain under the names of Olga and Dmitry. Avios manages air miles on behalf of several airlines and is owned by the parent company of British Airways.
Liv Rowley, of Flashpoint, said criminals believed that it was too risky to buy flights with stolen credit card details but felt safe using reward points associated with the same accounts.
She said: “One advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone. They’re confident enough to travel in their own names using the stolen points.”
The hackers obtained the points from bank accounts with linked reward schemes that were compromised in phishing scams — where criminals trick people into revealing their passwords using phoney “official” emails.
Attackers also hacked people’s accounts with airlines to access their accrued miles. Reward points are not generally transferable but the researchers indicated that criminals had found ways to overcome the curbs and travel using their real names.
The company declined to name the point schemes and airlines affected but said that “major” British names were involved.
Although the Russian-speaking underground is the biggest market for such criminality, the researchers said that English and Spanish-speaking criminals were increasingly involved.
Some 3,600 customers used one illicit hotel and car rental service on the Alphabay dark web marketplace between March 2015 and December last year.
Alphabay was closed in July after an investigation by police forces led by the FBI but Flashpoint said that similar services were sold on English-language marketplaces still online.
Illicit travel services are offered alongside hacked accounts from companies such as Amazon and Deliveroo that are linked to the victim’s credit card and can be used to buy goods or food.
Iata estimates that the airline industry loses more than $1 billion a year as a result of the fraudulent online purchases of flight tickets.
EU law enforcement agency Europol recently targeted online agencies that specialise in buying airline tickets with stolen or fake credit card details.
Alan Woodward, of the University of Surrey, said: “The whole area of crime as a service is common on the dark markets . . . The part that is unclear is why there isn’t more cross-checking: you would have thought that loyalty points would be usable only by those to whom the points belong.”