AMPYX CYBER

View Original

Thieves are running illegal travel agencies with your stolen points

BY KERRY TOMLINSON, AMPERE NEWS

How do cyber attackers travel? They use airline miles. But not always their own.

Victims are reporting a wave of airline account hacks where they've lost hundreds of thousands of points. Researchers say criminals are raiding rewards accounts to supply their own illegal travel agencies. If you don't have points, they may go for your money.

Watch here:

Theft wave

Thinking of taking a trip? You might want to check your airline points to see if they're still there.

"I woke up this morning missing 50k miles. Someone booked a Sydney to HK flight apparently using my points," wrote one victim on Reddit.

"...(L)ogged into my United app to see 100,000 miles were transferred out of my account!" said another.

"Yesterday I noticed that I had about 200k miles missing and someone has booked ten flights under my account," added a third.

It's not just miles and flights. People are reporting stolen hotel points, loyalty accounts hacked, and loans taken out on their travel rewards credit cards.

Raiding rewards

Thieves are mining your accounts for miles, as much as three billion dollars-worth each year, according to estimates.

That means free vacations for the crooks. And a steady supply of trips for their illegal travel agencies, all at your expense.

"They've got free points, and then they're selling tickets," said Pete Nicoletti, field CISO with cybersecurity company Check Point. "They're making money on stolen stuff."

Nicoletti used to work for Hertz as chief information security officer, where he saw thieves use people's names and credit cards to steal cars.

"They would rent a Rolls Royce," he said in an interview with Ampere News. "And even though we had sensors in the Rolls Royce, they get it into a container and ship it to Africa, and it was a mess. We saw all kinds of stuff."

Airline mile chop shops

Now the crooks have taken it even further, taking orders online for air trips, setting up week-long hotel stays with a rental car, even arranging weddings with your points, according to Check Point researchers.

The illegal agents sometimes book flights at the last minute, so you don't see it until it's too late. They may spam you with hundreds of other emails to bury the rewards account notification about your points. Or they may take over your email so you never see the notification at all.

One well-known underground agency, Patriarh, posts pictures of supposedly happy customers saying thank you from around the world.

Other agencies claim to have customer service 24 hours a day and refunds if things go wrong, though experts say you can't always trust thieves to honor their word.

Getting In

How do thieves get access to your rewards accounts? The researchers say they often start with a fake email designed to look like it's from an airline, hotel or travel site.

One fake message claims to be a survey from Southwest Airlines with a free $100 gift card if you participate. Another pretends to offer you free Hilton Hotel points.

If you click, you might go to a site that looks very similar to the real site but is also fake. If you enter your password, you've handed over the keys to your account to the attackers.

Even just clicking on the email links, out of curiosity, could cause trouble, Nicoletti said.

"Oh, what does this guy want? Click," Nicoletti said. "You're going to a hacker website. You're getting malware being downloaded. And you're being conned into losing points or losing access to your computer."

No points, no problem

The attackers can then sell your account online, the more points, the better. But even if you have no points, you're still worth money. The thieves can lie in wait until you do get miles or get access to your rewards credit card. They can also use your card for trips or to take out loans.

If you're thinking of taking one of these illegal discount trips, not only are you encouraging crime, but you also could get arrested like the 79 of travelers in a law enforcement operation in 2019.

What to do

What can you do to protect yourself from points thieves? Nicoletti offers these recommendations:

  • Watch out for changes on your rewards account. Missing points and strange flights are a big red flag. But you also want to watch for emails saying someone's changed your password, or changed or added an email address or credit card number.

"You really want to watch that.  And make sure that if you see that, you know that somebody's doing something, some kind of shenanigans," Nicoletti said.

  • Add in multi-factor authentication, the extra log-in step, to your accounts, so if someone steals your password, they'll have more trouble getting in.

  • Be wary of emails that look like they're from a travel business, like an airline or hotel. Go to the site directly instead of clicking on the links in the email. If you see an email offer you like, you're better of contacting the airline on your own.

  • Finally, you might want to check on your rewards accounts every so often, even if they're empty, because they can be used against you.

"Log into it every couple of months, make sure everything's cool," Nicoletti advised.

Another way in

Attackers can also get in by guessing your password if it's a short or easy one. They buy and sell password lists online, so if you're re-using a password from another one of your accounts that's been secretly hacked, the crooks can simply try that same password on your rewards account.

Making a longer password will help protect you. And if you do get hacked, contact the airline to report it and ask if they can replace your points.

More stories from Ampere News:

#travel #cybercrime #cybersecurity #cybersecurityawareness

See this content in the original post

Featured Stories

See this gallery in the original post