Travel and Hospitality Fraud is Growing: Here’s How it Works

Written by

As the world starts opening up again and the summer holidays approach, thoughts turn to getting away to sunnier climbs. As with most things, the cybercrime economy is way ahead of you. In fact, a major underground market has developed around hospitality and travel fraud. Those working in these industries, and consumers looking out for a bargain, should beware.

Our research reveals 4000 dark web references to airline and hotel fraud worldwide last year. Even during the COVID-19 pandemic, the airline industry reportedly saw a 530% rise in cybercrime incidents. 

Big Business on the Dark Web

Threat actors have been engaged in travel and hospitality-related fraud since the start of the cybercrime era. Stolen card-not-present (CNP) data and loyalty points are used to purchase flights, hotels and other travel-related offerings and then sell them on at a significantly marked-down price. To make the bookings, threat actors might first create fictitious accounts, hijack legitimate accounts, or convince unscrupulous ‘dark’ hosts to process payments without actually redeeming a booking.

To create their fraudulent listings, threat actors may use brute-forced accounts purchased on dark web marketplaces or buy stolen log-in information to takeover accounts first and use them. Alongside ads for these fraudulent ‘travel agency’ services, cyber-criminals may also advertise and sell counterfeit COVID-19 vaccination statuses and certificates. 

It’s big business. One report revealed $1.2m in illegal sales in the first nine months of 2021, although even this is likely to be just the tip of the iceberg. We found 156 references to airline ticket sales linked primarily to Telegram channels and groups known to engage in this type of fraud.

With a projected global value of over $11bn by 2025, loyalty cards are also in the crosshairs of fraudsters. Reward points can be used like stolen CNP details to book flights, hotels and other travel-related goodies. It’s particularly difficult to detect, as the scammers usually obtain enough personal info through social engineering or other tactics to authentically impersonate the genuine user. Reward accounts are often poorly secured and the victim only realizes their loss once they check their balance.

Fuel for the Fire

As with a great deal of cybercrime, much of this thriving travel and hospitality fraud market is fuelled by data breaches. Since January 1, 2021, we’ve found over 4.4 million leaked credentials related to airlines, travel and hospitality organizations globally, for example. Another classic tactic for getting hold of personal information to support these scams is phishing the victims themselves.

In 2021, threat actors even used phishing techniques to defraud users of the Transportation Security Administration’s (TSA) PreCheck, Global Entry and NEXUS application service websites. PreCheck enables registered users to skip some checks at US airports for a more streamlined experience.

Fighting Back

Fortunately, there are things you can do as organizations and consumers to arrest this growing trend of travel and hospitality fraud.

For organizations concerned about this risk, there are some things you may already be doing or consider extending. Patching critical systems for vulnerabilities is essential, having an incident response plan that you test will be hugely valuable, and testing it will get you better prepared for the inevitable changes that you will need to update. 

Using intelligence will augment all of these other efforts; look for Dark web postings for customer credentials stolen from their infected devices and access for sale into your networks across an array of criminal markets will proactively help you mitigate the risk further.

Consumers can also do their bit to limit the damage caused by travel and hospitality fraud by staying alert. Only buy airline tickets and book hotel reservations on legitimate or well-known sites, not social media. It also goes without saying that you should never reply to unsolicited contact about holiday offers and always check the T&Cs before making a purchase. Happy holidays.

What’s hot on Infosecurity Magazine?