Cybercriminals preying on travel surge with a host of… | Intel 471 Skip to content
blog article

Cybercriminals preying on travel surge with a host of different scams

Cybercriminals rarely let a societal trend go by without trying to scam their way into some misbegotten money.


Jun 15, 2022
Adobe Stock 292354035

As people try to move on from the COVID-19 pandemic, the travel industry is seeing an influx of activity. The travel division of American Express said February 2022 was its "biggest month ever,” as more people felt comfortable returning to flights, hotels and various destinations around the world. Much like their actions when the pandemic was in full swing, cybercriminals have latched onto this boom, creating various scams that aim to take advantage of people’s desire to travel.

Intel 471 has observed several actors throughout the cybercrime underground either advertising schemes or searching for partners that would help craft scams aimed at the travel industry. Some of the most popular organizations in travel and hospitality are being targeted, with ramifications that can impact both individuals and organizations alike.

Targeting specific accounts

Since January 2022, Intel 471 has observed multiple actors across numerous cybercrime forums selling credentials tied to travel-related websites. In February, one such actor listed access to account credentials of U.K.-based users at a major travel booking website and two U.S.-based airlines. The actor specifically was targeting mileage rewards accounts with at least 100,000 miles. Access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. Alternatively, the accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.

One of these observed actors also posted advertisements seeking help in targeting information to support further travel-related schemes. The actor offered to sell a database with personal identifiable information (PII) related to 40,000 people employed in Illinois.. Access to stolen PII is a key component of specific travel fraud activity that relies on the ability to assume a stolen identity or create a new persona from stolen data. This part of the travel scheme would allow an individual to travel unnoticed, bypass travel restrictions, possibly evade law enforcement or simply minimize the ability to track their movements.

Long tail of ransomware attacks

While ransomware-as-a-service (RaaS) gangs have gone after the travel industry in prior years, Intel 471 has not observed a heightened, direct threat to the industry at-large over the first few months of 2022. Yet, risk remains that organizations should be conscious of. In August 2021, the Lockbit 2.0 RaaS breached international professional services firm Accenture, demanding a US $50 million ransom payment to stop the leak of allegedly 6TB of stolen data. Later that month, LockBit 2.0 breached a regional airline based in Thailand, with credentials allegedly obtained from the Accenture breach.

As this report was being crafted, an attempted ransomware attack impacted the IT systems of SpiceJet, a low-cost airline headquartered in India. The attack forced the company to cancel and delay flights, leaving customers stranded at airports or even inside planes.

War in Ukraine

Intel 471 has also observed travel scams and cybercrime being conducted as a result of Russia’s invasion of Ukraine. We observed threat actors use insiders in organizations that support travel operations. In addition to commercial travel, we have also witnessed underground criminals use insiders for illegal migration purposes including one actor who claimed to have an insider at a government agency that subsequently possibly was identified as the Moldovan or Ukrainian state border service. Shortly after the start of the war, the actor claimed the insider could facilitate illegal border crossings for Ukrainian males aged 18 to 60. Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints. The border crossing records for the person using the actor’s service would be backdated on a passport and government databases as part of the scheme.

Additionally, we saw an actor join KillNet, a pro-Russian Hacktivist group, conduct attacks against targets in Romania and other countries that provided support to Ukraine. Travel-related entities impacted by these attacks included the Romania-based Air Traffic Services Administration and Bucharest Airport. Furthermore, aviation and transportation entities were among KillNet’s most frequented targets in the first half of 2022.

Kill Net Target Chart 02 Jun2022

How to avoid the uptick in scams

Travel fraud is a diverse underground offering that appeals to threat actors and individuals searching for online discounted reservations, illegal migration, or impersonation of individuals. The interest in these services has created an abundance of online fraud schemes targeting the travel and hospitality industries with an estimated 155 percent rise in attacks globally in 2021.

Maintaining awareness of techniques that actors use to conduct travel fraud and target travel-related entities can provide guidance and direction to adjust defense and security strategies. For organizations, using artificial intelligence (AI) to identify false identities when booking travel and install a local security solution with anti-fraud and anti-phishing filtering can go a long way in preventing actors from taking over high-value accounts. For individuals, refraining from responding to unsolicited vacation offers, being smart about payments, and booking directly through reputable service can prevent the likelihood of being scammed.