Travel Hacks: How Cybercriminals Tour the World on the Cheap
by Vladimir Kropotov, Mayra Rosario Fuentes, Fyodor Yarochkin, and Lion Gu
The internet is ripe with stories about travelers who ‘hacked’ their way into cheap travel and vacation costs. Brian Kelly, a former Wall Street worker, manipulated credit card perks and frequent flyer miles to score free or heavily discounted trips. One of his trips, which had stops in Ghana, Rwanda, and South Africa, just cost him US$5.60. Meanwhile, a Reddit user claimed he went on a two-week trip to Thailand that could have cost $28,000 but ended up only costing him $326.
While the abovementioned examples of ‘travel hacking’ are still legal, it's a completely different story when travelers go on a trip using illegally-acquired services.
In the cybercriminal underground, fraudulent online transactions involving travel documents, airline and hotel loyalty accounts, and other travel-related services have become valued commodities the past several years. Cybercriminals run this business by offering services paid for using stolen credit cards, hacked loyalty program accounts that were either leaked or vulnerable, and fraudulent redemption of freebies, discounts, and rebates in the form of coupons, among others. Although there are existing security mechanisms in place to combat such illicit activities, cybercriminals continue to offer more and more services in hopes of piquing buyer interest.
The dark web, underground forums, Telegram channels, and even social network postings advertise these services with the intention of providing cheap price tags for those who do not have a problem breaking the law. From arranged travel documents and car rentals to booking flights and hotel rooms, here are some of the services we have seen offered in the Chinese and Russian underground and some English-language forums:
Travel documents and flights
There are plenty of advertisements that offer fraudulent documents for travelers who would like to remain anonymous or just simply lack the necessary papers. Among dozens who offer the service, one seller in Russian underground forums offers blank and PII-inclusive Ukranian passports for $1,500 and $1,600, respectively. The underground markets also offer passport modification services, usually for around RUB 30,000 ($510) to RUB 65,000 ($1,100).
Cheap flights from darknet marketplaces are available via stolen accounts with frequent flyer miles or travel points, usually as part of airline or credit card programs. Because of the cash value in these stolen travel points, cybercriminals will only have to pay 30-50 percent of the legitimate price of a plane ticket. They usually buy these flights at the last minute; by the time the airline company notices the fraudulent transaction, the buyer has already gotten off the flight.
One example that caters to the needs of flying cybercriminals is an advertisement found in Chinese underground forums selling airline packages for Commercially Important Persons (CIPs) and VIPs. These packages cost RMB 30 ($4.53) for one domestic flight and RMB 60 ($9.07) for one international flight. CIPs are people who pay extra to use facilities, while VIPs are usually government officers. The package includes priority check-in, use of the CIP/VIP lane at airport security, free extra luggage, free lounge use, and a free seat class upgrade.
Figure 1. Seller offering blank and filled-up passports and passport modification
Figure 2. Seller offering quality passports for a wide range of countries
Figure 3. An advertisement selling airline accounts
Figure 4. An advertisement selling flights for 40-50 percent of the real price
Figure 5. Advertisement on Telegram that offers flights for 50 percent of the real price, and hotels for 40 percent of the real price
Figure 6. Delta Airlines miles account and a guide on how to use it, sold for $0.99 on Dream Market
Figure 7. Advertisement of CIP and VIP services
Cabs and car-sharing rides
For those who need a ride to the airport or around the destination city, cybercriminals offer cheap land options courtesy of discounted taxi and car-sharing rides.
They offer heavily discounted car-sharing services and online taxi booking service providers. Package deals stolen from a Russian service provider offers riders RUB 550 ($9.28) rides for only RUB 200 ($3.38); RUB 700 ($11.81) rides for RUB 250 ($4.22); RUB 1,000 ($16.88) rides for RUB 300 ($5.06); RUB 1,500 ($25.32) rides for RUB 500 ($8.44); and RUB 600 ($10.12) for a one-hour ride on business-class cabs.
Advertisements for cheaper car rentals are also available, particularly via stolen membership cards. A Chinese advertisement offers a card with a free car upgrade, free weekend rental, and 25-50% bonus points that can be used to redeem a free car rental. This membership card, which is a higher level of membership with greater rewards, is priced at RMB 338 ($51.03).
Figure 8. An advertisement offering discounted Uber rides
Figure 9. An advertisement offering discounted Yandex.Taxi rides
Figure 10. An advertisement selling an AVIS membership card
Hotels offer discounted rates for customers with loyalty accounts that they may redeem through free room upgrades, free breakfast, free Wi-Fi, late checkout privilege, and more. Cybercriminals take advantage of these discounted rates by stealing loyalty accounts with reward points. These stolen accounts and points are being sold mostly on Dream Market, allowing buyers to book reservations at luxurious hotels for up to 70% less than the regular price. Cybercriminals also offer free login accounts that claim to give buyers a free overnight stay at a hotel, and accounts that have gold status and deposited points.
Three variations of a premium loyalty account from a five-star hotel, which has exclusive benefits and free nights at its franchise hotels worldwide, are also sold for prices that depend on the amount of points deposited in the account. An account with 10,000 points is sold for RMB 800 ($120.88), while the other account that has 20,000 points is priced for RMB 1,600 ($241.76). A more expensive account, which has 30,000 points, is sold for RMB 2,400 ($362.69). These accounts are tied to redeemable one-night stays at hotels, with prices that depend on location and degree of commercial prestige.
Employees who work for some large corporations are often offered discounted rates at the largest hotel chains around the globe. These corporate hotel rates can also be abused through corporate discount codes that have become available in various forums. Anyone could book discounted hotel accommodations by using such codes.
Hotels usually ask customers who work for large corporations for their corporate ID cards to avail such discounts, but cybercriminals can also take advantage of that privilege by using fake corporate ID cards. One seller offers fake ID cards that bear the names of multinational organizations. These fake corporate ID cards are sold for RMB 1 ($0.15).
Figure 11. A login account with a free one-night stay priced for $5.99 on Dream Market
Figure 12. The seller claims to create an account that has a free upgrade and free breakfast on Dream Market
Figure 13. An advertisement selling Hyatt Gold Passport accounts on Dream Market
Figure 14. An advertisement selling fake corporate ID cards
Tours, cash withdrawals, and travel agencies
Tour tickets are also sold in the underground. Disney World tickets, offered with a custom package with no limit on the number of tickets the buyer requests, are sold on Dream Market at 30% of the regular price. During peak season, the legitimate prices of these Disney theme park tickets for children range from $107 to $168, while the price for adults ranges from $107 to $170.
Cybercriminals also sell services that offer discounted withdrawals and money laundering services. These services cater to ‘white money’ and ‘black money’ transactions. ‘White money’ is money for which necessary taxes have been paid, while ‘black money’ pertains to illegally obtained or undeclared income. These services are offered in South-east Asian countries, specifically China, Hong-Kong, Thailand, Taiwan, and Vietnam. Cash withdrawals (from Europe to South-east Asia and vice versa) for ‘white money’ comes with a 3% charge, while ‘black money’ in the form of money laundering (from Europe to South-east Asia and vice versa) is charged 35%. The seller will provide documents needed for these transactions in 1-3 days.
Prospective buyers also have the option to navigate directly to the pages of underground travel agencies to find cheaper flights and hotel accommodations that are usually just 30-50% of the normal price. One travel agency offers flights and hotels for 30 percent discount. Like all illegal services sold in the underground, interested buyers must transact via the seller’s specified contact information through Skype, ICQ, or Jabber. The agency can book cybercriminals a vacation in Sochi, Thailand, Vietnam, Bulgaria, Greece, UAE, Czech Republic, Spain, Dominican Republic, Israel, Cyprus, and India.
Gift cards and loyalty cards from restaurants are sold on the cheap as well. From pasta and Mexican food to goods from a health food store, travelers can avail these offers while they are on vacation for less than $15.
Figure 15. A seller charges a buyer $200 for custom package of Disney tickets on Dream Market
Figure 16. Advertisement for discounted withdrawal and money laundering services
Figure 17. Travel agency offering services in the underground
Figure 18. A Domino's Pizza loyalty account sold for $2.99 on Dream Market
Figure 19. A loyalty account from Pizza Hut is sold for $3.5
Figure 20. A Chuy’s Mexican Food gift card sold for $10 on Dream Market
Figure 21. A Whole Foods gift card worth $30 priced at $13.99 on Dream Market
Comparing cybercriminal and real-world price tags
To get a picture of how much these activities affect the travel industry, here are some possible scenarios that illustrate how much money businesses stand to lose based on scanning current face value ticket prices:LAX-MOW to attend a football tournament: $570
A Los Angeles-based traveler who wants to experience the 2018 FIFA World Cup in Moscow, Russia for two days only has to spend about $500 (50% of the regular price) for a roundtrip ticket and $60 (40% of the regular price) for a hotel. Moving around the city will only cost the buyer $5 (about 30% of the regular price) for taxi rides for airport pickup and departure drop-off, and another $7 (about 35 percent of the regular price) for a hotel pickup going to the Luzhniki stadium and back to the hotel.MOW-ATH for a Greek exploration: $240, MOW-BJS to climb the Great Wall: $585
A Moscow-based traveler who wants to explore the ruins and wineries of Santorini, Greece for two days only has to spend over $200 for a roundtrip flight and about $40 for hotel accommodation. If the traveler wants to take a vacation in Beijing instead and visit the Great Wall of China, roundtrip airfare and two-night hotel accommodations would only cost $550 and $35, respectively.MAD-MCO for a family tour at magical theme parks: $1,160
A Madrid-based family of four (two adults and two children) who would like to travel to Orlando, Florida for a tour in Walt Disney World Resort for two days only has to shell out over $1,100 for roundtrip flight tickets, hotel accommodation, and tour passes. Plane tickets can be bought for around $760, while two hotel rooms cost just over $200. Meanwhile, four Park Hopper tickets, which gives buyers the option to visit all four different Disney World Parks in a single day will only cost $202. The regular price of Park Hopper tickets: $170 each for adults, and $168 for children.
Overall, the real-world costs of these vacation trips could be reduced by up to 50 percent when travelers opt to purchase illegally-acquired offers. This could easily affect the bottom line of affected businesses.
Satisfied cybercriminals post pictures of their successful trips on forums as proof that the services sold to them are not a sham. In the gallery below, you will see photos showing several individuals enjoying scenic views of the beach, mountains, and cozy hotel rooms. However, not all customers are happy with their purchases.
There’s a downside in attempting to reduce your travel cost when availing these illegal services: getting your money's worth is not always guaranteed, and sometimes, you don't get anything at all. Scanning the underground forums, we found one buyer of a business class flight who complained about being unable to contact the seller when he found out that his purchase didn’t include a return flight. The customer couldn’t use his hotel reservation as well. There’s also a customer who ordered three flight tickets for a trip, but were canceled before departure, among others.
Fig. 21 Photos from satisfied customers
Fig. 22 Photos from satisfied customers
Fig. 23 Photos from satisfied customers
Fig. 24 Photos from satisfied customers
Fig. 25 Photos from satisfied customers
Figure 26. Customer complaining about absence of a return flight ticket and unusable hotel reservation
Figure 27. Customer complains about a canceled flight ticket
Impact on the affected industries and law enforcement initiatives
According to the International Air Transport Association (IATA), the airline industry faces estimated losses of US$1 billion a year from ticket fraud. Last year, an international law enforcement operation targeting airline fraudsters detained 193 individuals possessing plane tickets purchased using stolen or compromised payment card details.
The hotel industry suffers from the same problem. A survey conducted in 2015 revealed that six percent of travelers booked online hotel reservations using an imposter site. According to the American Hotel & Lodging Association, 55 million hotel reservations were booked on rogue websites in 2016, earning cybercriminals $4 billion yearly.
An example of how concerned industries can be vulnerable to cybercriminals is an incident involving a student from Florida International University who was arrested after being accused of hacking into airline accounts worth $260,000 in May 2016. The accused allegedly booked stays from Denver to Dubai, with additional fancy car rentals to boot. In 2012, there was a similar incident involving a businessman who hacked into the United Airlines website, stole unused travel points, and converted them under an alias. Of the $70,000 worth of miles stolen, he used 8,000 credits for personal travel and sold 60,000 through online classified ads.
The authorities also recently targeted cybercriminals who victimize car-sharing services. A man who bought a fake account online for car sharing-service Delimobile in Russia was busted by the police and charged with improper possession of a car. Investigations have been carried out against the accomplices of the detainee and the seller of fake accounts. In 2016 and 2017, Delimobile stopped more than 20 swindle attempts and five instances of attempted theft.
An operation targeting cybercriminals who engage in these illegal services was already put together by INTERPOL, Europol, and Ameripol, with support from Canadian and US law enforcement agencies, as well as by Frontex, the European Border and Coast Guard Agency. This is an effort to stop threats coming from cybercriminals and organized crime networks that profit from fraudulent online transactions, which are often linked to other activities including illegal immigration, human trafficking, and terrorism.
Countermeasures for businesses
Businesses in the travel industry should put safeguards in place to stop cybercriminals that provide illicit financial services, fraudulently purchased tickets, and fake documents. Businesses should follow the VISA recommendations on fraud prevention.
When accepting bookings, businesses should implement a process for validating the identity of the paying customer and credit cards used to pay for online transactions. When authorizing transactions, be wary of the following:
- Customers who book outside working hours. Most travel agencies do not normally book outside working hours within their geographical time zones.
- Foreign nationals who book for the accommodations of citizens registered in a different country.
- Customers transacting under different names but with similar mailing or billing address.
Travel agencies, hotels, and airline companies should be aware that their employees can be actively targeted by criminals who aim to gain access to corporate booking systems. They should also be cautious of opening documents and other files that may contain malware that can compromise their systems.
In addition, businesses should coordinate with law enforcement agencies to alert each other when they find suspicious and malicious transactions. Most of all, they should also ensure the privacy, security, and integrity of the gateways, endpoints, networks, servers, and other infrastructures that manage their business processes.
Countermeasures for users
Users can stay protected from cybercriminals who are out to get their credit card details, accounts, and other personally identifiable information (PII) by following these best practices. Users should avoid clicking links or downloading files without verifying the sources. Users should also monitor their accounts for signs of potential abuse. If there is any suspicious activity, they should consider changing passwords and replacing credit cards.
For travelers, here are some tips on avoiding fraudulent offers and travel scams:
- Only purchase tickets from reputable agencies or deal directly with airline companies, hotel, etc.
- Ensure that tickets are always purchased and issued under your name.
- Carefully pay attention to the name of the travel agency and its website. Social engineering attacks are prevalent online. While an embedded URL might seem perfectly valid, hovering above it might show a different web address.
- Enable two-factor authentication on your online accounts for login and online purchases.
- When booking or purchasing services for your travels, pay attention to red flags such as suspiciously low ticket prices offered by travel agencies. If you feel like the price for a trip is too good to be true, you should do a background check on the travel agencies, and confirm with the hotels and airlines regarding their bargain discounts. You can also check review sites for the company's legitimacy and reputation.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases