Apparently cybercriminals enjoy a little time off, though they prefer not to foot the bill for their own vacations. Instead, they are accessing specialty shops in the deep and dark webs, where they can purchase stolen credentials and cash in a victim's travel and hotel rewards.
In a May 2, 2018, blog post, Flashpoint intelligence analyst Kathleen Weinberger detailed how botnet operators incidentally came across credentials for direct access to reward program accounts. "In the process of using Trojans with keylogging or form-grabbing capabilities to steal credentials for customer accounts at targeted institutions, botnet operators often unintentionally obtain account credentials for non-targeted websites," Weinberger wrote.
Abuse of rewards points has been an ongoing trend in the deep and dark webs, and now that trend is evolving. A key distinction among these specialty shops is that they provide the login credentials for direct account access as opposed to booking travel for the clients, as was the previously reported case last year.
In November, Flashpoint reported a growing interest among cybercriminals in booking services for hotels and airfare. "These services have become so widespread on one lower-tier Russian-language forum that the community has established its own group of members dedicated to cybercrime targeting hotels."
Analysts have continued to track several small specialty shops in the underground, noting that multiple threat actors have chosen to operate travel-focused specialty shops, which "indicates a relatively high demand for these credentials in the Russian-language underground," Weinberger wrote.
When botnet operators unintentionally come across these types of credentials, they take advantage of the opportunity to turn a profit rather than toss the byproducts back to the dark web. Often the monetary gain isn't too substantial, but it's enough to make it worth their while.
They may only advertise a small number of credentials for sale, but the return is enough to keep their small shops operating for the time being. "Flashpoint analysts assess with a moderate degree of confidence that the sale of hospitality rewards program credentials by botnet operators will continue as long as it continues to be profitable for botnet owners," wrote Weinberger.
In order to avoid being the victim of stolen credentials, users should engage in best password practices. Two-factor authentication adds an additional layer of security for businesses, particularly since brute-force attacks can target specific institutions to steal customer credentials.