Cyber criminals based in Russia are stealing Britons’ air miles and reward points and using them to buy luxury five-star holidays at a huge discount, it has been revealed.
A new report suggests that hackers steal the reward points and air miles hacked from airline user accounts and bank accounts in phishing scams, and then sell them on, offering flights, hotels and even car hire on the dark web at discounts of up to 75 per cent.
The hacker ‘travel agents’ attractively package the holidays up to advertise them online like legitimate sellers – and their criminal customer base even leave photos and gushing reviews.
Research company Flashpoint, which released the report, said the situation is so worrying one American bank which has British customers has banned buying flights in Russia using its reward scheme.
One British couple found their Avios travel reward points had been used to pay for a room in Spain under the names of Olga and Dmitry, reports The Times.
Olivia Rowley, a cyber crime intelligence analyst for Flashpoint, said: ‘One advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone.
‘They’re confident enough to travel in their own names using the stolen points.’
The report adds: ‘These services have become so widespread on one lower-tier Russian-language forum that the community has established its own group of members dedicated to cyber crime targeting hotels.
‘In fact, one such member has been advertising their travel ‘booking service’ on two lower-tier forums since December 2014. Through their service, users can order tickets to anywhere in the world; the only restriction is no domestic flights within Russia. Grateful customers regularly post photos taken on trips purchased through the actor’s offerings.’
Beyond the Russian-language underground, rewards points abuse is becoming increasingly popular among English and Spanish-speaking cyber criminals.
The report adds: ‘On the Spanish-language underground, the most prolific rewards point fraud service is an illicit “travel agency” that offers discounted tickets and reservations for flights, five-star hotels, car rentals, cruises, and other miscellaneous vacation activities such as tours.
‘Clients are allowed and even encouraged to make these reservations in their own names, and reservations can be made anywhere from a month to only hours in advance.’
Similar illicit booking services had been listed on the now-defunct AlphaBay Market since at least March 2015.
These listings drove high demand—3,601 customers purchased one hacker’s illicit hotel and car rental services between March 2015 and December 2016.
Flashpoint did not name the point schemes and airlines affected but said that ‘major’ British names were involved.