Boutique Shops Offering Rewards Points Pop Up on the Dark Web

These small specialty shops make rewards-point abuse more accessible to fraudsters by offering credentials for direct account access.

Cybercriminal interest in stolen data is not solely limited to financial or personally identifiable information. The exploitation of rewards-points programs, especially those associated with travel, is also on the radar screen for the bad guys. To cater to this interest, a series of boutique stores have popped up on the Dark Web, hawking rewards-related, ill-gotten wares.

Flashpoint analysts have been tracking several of these small specialty shops in the Russian-language underground, finding that they make rewards-point abuse more accessible to fraudsters who lack the capabilities required to access customer accounts themselves.

“This also ties in with the broader trend of underground marketplaces lowering barriers to entry for cybercrime by bridging the skills gap,” the researchers said, in a posting.

Most of these stores are advertising access to the login credentials of customer accounts for travel and hospitality rewards programs; Flashpoint said there’s a relatively high demand for these kinds of logins among the cybercrime set.

Previous activity related to travel and hospitality rewards-point abuse has revolved around the ability to set up scams for booking book travel or accommodations using stolen points. The specialty shops however claim to provide credentials for direct account access, marking a slight evolution in tactics. With account access, a user could “gift” the miles to themselves for use later, book travel directly or in some cases cash in the rewards points in exchange for other things.

Flashpoint researchers suspect that the account credentials were obtained incidentally while operating a botnet, since the observed vendors appear to offer a small number of accounts from a large number of institutions (i.e., the shops advertise rewards account credentials for more than a dozen airlines, but often list fewer than 10 accounts available per airline). In contrast, actors using brute-force tactics to target specific institutions tend to advertise accounts from only a few institutions, with a large number of accounts available from each institution.

“The advertised credentials were likely harvested alongside numerous other user credentials for other websites, but were specifically selected due to their perceived value,” Flashpoint researchers said. “In the process of using trojans with keylogging or form-grabbing capabilities to steal credentials for customer accounts at targeted institutions, botnet operators often unintentionally obtain account credentials for non-targeted websites.”

Unintentional or not, black hats aren’t the type to leave money on the table.

“For operators with little interest in using unintentionally obtained credentials to commit fraud, selling these credentials on the Deep & Dark Web (DDW) is an easy means of monetizing their bycatch,” the researchers noted. “While the resulting profits are likely to be low compared to other forms of fraud, it appears that the investment and effort put in by account sellers is also low.”

As long as they remain profitable, these specialized stores are unlikely to disappear. The most effective way for businesses and consumers to avoid falling victim is to use common sense: Avoid password reuse and change passwords frequently – and enable two-factor authentication wherever possible.

Suggested articles