The already lucrative market in stolen rewards points is significantly growing.
According to Flashpoint, a number of factors are coalescing to drive this criminal segment forward.
For one, fraudulent “booking services” that use stolen points in Russian-language forums are gaining popularity, including one that has gone as far as to establish its own group of members dedicated to cybercrime targeting hotel bookings. One such member has been advertising their travel “booking service” on two lower-tier forums since December 2014; grateful customers regularly post photos taken on trips purchased through the actor’s offerings. Interestingly, tickets can be to anywhere in the world, except domestic flights within Russia.
“This typically occurs via compromised user accounts—particularly those associated with rewards points credit cards,” Flashpoint explained, in a blog. “Actors then use these points to purchase hotel rooms, flights, and car rentals through online booking services.”
There is also widespread points abuse among English and Spanish-speaking cyber-criminals.
“These [Spanish and English] listings drove high demand—3,601 customers purchased one actor’s illicit hotel and car rental services between March 2015 and December 2016,” Flashpoint said. “To cash in on this trend, at least one vendor who was active on lower-tier Russian-language forums is known to have expanded their operations to AlphaBay Market in September 2016. Today, similar services are available on various other English-language marketplaces.”
There is also an evolution underway in the methods by which rewards points are stolen and some other ways in which they are used.
“Cyber-criminal abuse of rewards points has also been facilitated by the development of brute-forcing software, which can be used to systematically check a large number of possible password combinations until the correct one is determined,” said the firm. “After obtaining a user’s password through brute forcing, cyber-criminals can potentially access any rewards points associated with the compromised accounts. A symbiotic relationship exists between the expanding presence of these tools and the marketplace for compromised credentials.”
The good news is that businesses and individuals can protect themselves with one simple step: practicing stringent password hygiene.
“Since brute-forcing tools often used to access rewards points automatically test countless combinations of characters with the goal of identifying and entering the correct password, the difficulty of guessing a password increases exponentially along with its character length and complexity,” Flashpoint explained.