As if travel and travel-related activities aren’t fraught enough after the onset of the COVID-19 pandemic, cybercriminals have added an extra layer of turmoil, promoting scams to take advantage of people ready to spread their wings and travel after years of staying close to home.
“Intel 471 has observed several actors throughout the cybercrime underground either advertising schemes or searching for partners that would help craft scams aimed at the travel industry,” researchers at the security firm wrote in a blog post. “Some of the most popular organizations in travel and hospitality are being targeted, with ramifications that can impact both individuals and organizations alike.”
Since January, several actors have been selling credentials tied to travel-related websites across a number of cybercriminal forums. In February—which American Express’s travel division called “its biggest month ever”—one actor listed “access to account credentials of UK-based users at a major travel booking website and two U.S.-based airlines,” Intel 471 said.
The actor specifically went after mileage rewards accounts that had racked up at least 100,000 miles. “Access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers,” researchers wrote. “Alternatively, the accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”
One actor also advertised to get “help in targeting information to support further travel-related schemes,” offering to sell a database containing personally identifiable information (PII) on 40,000 people employed in Illinois, according to the blog post.
Surprisingly, Intel 471 didn’t find a heightened direct threat to the travel industry from ransomware attacks so far this year, despite the fact that ransomware-as-a-service (RaaS) gangs have targeted it in the past.
“Yet, risk remains that organizations should be conscious of,” they said, noting that in August of last year, “the Lockbit 2.0 RaaS breached international professional services firm Accenture, demanding a $50 million ransom payment to stop the leak of allegedly 6TB of stolen data,” which was allegedly used later to provide credentials that facilitated a LockBit 2.0 breach of a Thailand-based regional airline later in the month.
“As this report was being crafted, an attempted ransomware attack impacted the IT systems of SpiceJet, a low-cost airline headquartered in India,” the researchers said. “The attack forced the company to cancel and delay flights, leaving customers stranded at airports or even inside planes.”
Cybercriminals never pass up an opportunity to exploit any tragedy or grave situation; case in point: One actor was observed joining the pro-Russian hacktivist group KillNet to attack targets in Romania and other countries providing support to Ukraine.
“Travel-related entities impacted by these attacks included the Romania-based Air Traffic Services Administration and Bucharest Airport,” Intel 471 said. And, “aviation and transportation entities were among KillNet’s most frequent targets in the first half of 2022.”