A pair of Russian teens have been arrested for infiltrating more than a half-million online accounts, in particular targeting services that offer rewards points.
Russian authorities at the Ministry of Internal Affairs said in an announcement Wednesday that the duo came to their attention in late 2015, when they carried out a large-scale “dictionary attack” – a type of brute-force attack that involves trying thousands of random words as passwords – and were able to compromise more than 120,000 accounts at a popular Russian online retailer.
From there, they used the rewards points built up in the accounts to make purchases, before selling the account credentials on the Dark Web. Previous activity related to travel and hospitality rewards-point abuse has revolved around the ability to set up scams for booking travel or accommodations using stolen points. The specialty shops however claim to provide credentials for direct account access, marking a slight evolution in tactics. With account access, a user could “gift” the miles to themselves for use later, book travel directly or in some cases cash in the rewards points in exchange for other things.
The 2015 conquest however wasn’t their last: According to the police announcement, they were able to hack more than 500,000 accounts total, by using the same email and password combinations used at the e-tailer, thanks to the rampant problem of consumer password reuse. Group IB, which helped the investigation, said that they also took underground denizens up on tips about additional services with bonus programs they could attack, offering them a generous 50 percent revenue share for the information.
The firm also told Bleeping Computer that their tactics were relatively advanced, launching hacks from more than 35,000 unique IP addresses while using anonymizers and “changing the digital fingerprint of the browser (User-Agent).”
Ryan Wilk, vice president of customer success for NuData Security, told Threatpost that the stolen records that are now available on the Dark Web are also valuable in numerous ways.
“Once there, these records are used for synthetic fraud and account takeover – which increased tenfold in the last year, based on NuData’s analysis,” he said. “Fraudsters purchasing these records can slip into accounts unnoticed – until a user gets locked out of their account or a bill shows up for things she did not buy.”
The two unnamed suspects, aged 18 and 19, worked in tandem, the authorities said: One was cyber-savvy and brought coding knowledge to the table; and one carried out gaining illegal access to the accounts. They remain on house arrest as they await trial.
“Merchants have security systems placed around their purchase functionality and often leave their other placements (account creation, login, and shipping addresses, for instance) loosely supervised as they consider them less risky,” Wilk told us. “However, bad actors take advantage of these less supervised placements to prepare their fraudulent purchase quietly or steal loyalty points. By monitoring every placement, merchants can detect fraudulent activity before it gets to the purchase, preventing fraud losses before they happen.”
Similarly, it’s essential to devalue the data bad actors steal, so they lose interest in these schemes. Companies can do this by changing the way they identify users online.
“Many companies and financial institutions are starting to authenticate their users by their inherent behavior – which can be stolen or mimicked – through passive biometrics and other cutting-edge tools. With this technology, the credentials bad actors steal are not enough to access someone’s account, making that stolen information valueless.”
The exploitation of rewards-points programs is big business on the Dark Web, especially those associated with travel, according to Flashpoint analysts. As we previously reported, they have been tracking several small specialty shops in the Russian-language underground, finding that they make rewards-point abuse more accessible to fraudsters who lack the capabilities required to access customer accounts themselves.
Most of these stores are advertising access to the login credentials of customer accounts for travel and hospitality rewards programs; Flashpoint said there’s a relatively high demand for these kinds of logins among the cybercrime set.