Threat Intelligence
4
mins read

Miles Away from Safety: The Frequent Flyer Fraud

This article examines how cybercriminals exploit stolen frequent flier accounts for money laundering. It covers motivations, trading of accounts, methods to monetize stolen miles, case studies, financial impact, and current prevention measures.

CloudSEK TRIAD
September 24, 2024
Green Alert
Last Update posted on
September 26, 2024

Schedule a Demo
Table of Contents
Author(s)
No items found.

Category:  Threat Landscape | Industry:  Aviation |  Motivation: Financial | Region: Multiple

Executive Summary

In the ever-evolving landscape of cybercrime, threat actors continually devise innovative methods to maximize their illicit gains.

This article delves into a sophisticated technique that has gained traction among cybercriminals: the exploitation of stolen frequent flier accounts as a vehicle for money laundering and value extraction.

The cybercrime ecosystem presents a unique challenge for malicious actors once they have successfully compromised systems or extracted funds from victims. Converting these ill-gotten gains into usable currency while evading detection is a critical step in their operations. 

This article provides an in-depth exploration of this phenomenon, covering several key areas:

  • The underlying motivations driving threat actors to target frequent flier accounts and loyalty points.
  • An examination of the underground marketplaces and forums where these compromised accounts are bought, sold, and traded.
  • A step-by-step breakdown of the process cybercriminals employ to monetize stolen mile points, including the conversion of points into bookable travel or other high-value commodities.
  • Two case studies that illustrate real-world instances of this fraudulent activity, highlighting the scale and sophistication of these operations.
  • An analysis of the financial impact on both individual victims and the airline industry as a whole.
  • A detailed attempt to profile the threat actors involved in this specific form of cybercrime, including their typical characteristics, operational methods, and potential connections to larger cybercriminal networks.
  • An overview of the current detection and prevention measures employed by airlines and financial institutions, along with their effectiveness in combating this threat.

By providing this comprehensive examination, we aim to shed light on a lesser-known facet of cybercrime that intersects with the travel industry, demonstrating the ingenuity of threat actors in exploiting seemingly innocuous systems for financial gain.

Understanding Miles

Airline miles, also called frequent flier miles or travel points, are like rewards that airlines give to their loyal customers. They work kind of like this:

  • Earning: You get these miles when you fly with an airline, use certain credit cards, or sometimes through special promotions.
  • Value: Each mile is worth a small amount of money, but they add up over time.
  • Usage: You can use these miles to "buy" things, mostly related to travel. For example:some text
    • Free or discounted flights
    • Upgrades to better seats
    • Hotel stays
    • Car rentals
    • Sometimes even gadgets or gift cards
    • Accounts: Airlines keep track of your miles in a personal account, kind of like a bank account but for travel rewards.

The benefits of miles are airline dependant, many airlines have created a very elaborate ecosystem around their miles program to make it more elusive to use the specific airlines, these airlines are even more sought after in terms of demand

Dark Web Mentions

  • Threat actors are evolving to bypass current defenses. They use dark web forums and IRC chats to trade malicious products and services targeting the aviation sector.
  • We found two types of mentions on these forums. Despite their apparent differences, both lead to similar potential impacts on the airline:
    • Selling Miles as a way for Carding (Covered in detail below with a case study)
    • Selling Logs and accounts to exchange that for other condiments
Screenshot: one such TA selling logs for accounts in exchange for cryptocurrency

Messaging Platform Mentions

  • Telegram has become a popular platform for cybercriminals due to its anonymity features and minimal moderation.
  • Compared to forums with stricter sign-up processes, Telegram offers easier access, making it a prime marketplace for data trading among various criminal groups.
  • This is done to convert the existing currency they hold in FIAT currency, gift cards have been exploited in the same way since a long time. Similarly, purchasing credit cards is another popular way of trading currency

Following are some of the ways Threat Actors approach a potential buyer

1. Telegram Bot Automation

The first and foremost way of selling accounts are bots, they are used to automate the way purchases are made and removes the haggling from the purchaser. One such account was: @MilesBrokerBot

2. Manual Approach

The second way is manually approaching potential customers for selling mile accounts. Below is the conversation our sensitive source had with a Threat Actor which resulted in potential identification of the compromised account as well as the threat actor

  

Screenshot shared by the Threat Actor as proof of access 

  • We identified the threat actor's Bitcoin address: 18pYW4xwc9nL4LaNSKA1yUxi3b75bbzBRU
  • Blockchain analysis revealed transactions from a Binance hot wallet (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h) to the threat actor's wallet. As Binance maintains KYC data, a legal complaint could potentially reveal the threat actor's identity.

Screenshot of metasleuth tool, used to check the transactions related to the TA wallet

How Does This Happen at Scale ?

Customer Credentials

Credential breaches are the backbone of all types of illegal activity and the rate of popularity is ever increasing. Credential breaches broadly include: 

  • Third party breached passwords which are reused:

The impact of these are typically less this requires password reuse of the same password in different spaces with elevated privileges which is generally countered by password policies in organizations

  • Infostealer malware infection logs:

These are more impactful as the stealer log gives the attacker complete URL as well as the username and password used to login

In the above given examples where a Threat Actor was selling accounts for miles, this kind of behavior can be averted by having multi-factor authentication on all business critical as well as customer endpoints

Once a threat actor has obtained credentials from free sources and credential brokers they use tools like OpenBullet  which aid in credential stuffing. The config files are sold/given for free on telegram as well.

OpenBullet config files being sold on Telegram

Recommendations

  • Adding MFA to customer login endpoints
  • Shortening the session time to make it difficult to exploit a session based attack
  • Continuous monitoring of customer leaked credentials on the Darkweb
  • Understanding the ecosystem of miles carding and making suitable changes to stop transfer of miles from a suspicious login attempt.
  • Adding robust behavioral detection on public login endpoints.

References

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Threat Intelligence

4

min read

Miles Away from Safety: The Frequent Flyer Fraud

This article examines how cybercriminals exploit stolen frequent flier accounts for money laundering. It covers motivations, trading of accounts, methods to monetize stolen miles, case studies, financial impact, and current prevention measures.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Category:  Threat Landscape | Industry:  Aviation |  Motivation: Financial | Region: Multiple

Executive Summary

In the ever-evolving landscape of cybercrime, threat actors continually devise innovative methods to maximize their illicit gains.

This article delves into a sophisticated technique that has gained traction among cybercriminals: the exploitation of stolen frequent flier accounts as a vehicle for money laundering and value extraction.

The cybercrime ecosystem presents a unique challenge for malicious actors once they have successfully compromised systems or extracted funds from victims. Converting these ill-gotten gains into usable currency while evading detection is a critical step in their operations. 

This article provides an in-depth exploration of this phenomenon, covering several key areas:

  • The underlying motivations driving threat actors to target frequent flier accounts and loyalty points.
  • An examination of the underground marketplaces and forums where these compromised accounts are bought, sold, and traded.
  • A step-by-step breakdown of the process cybercriminals employ to monetize stolen mile points, including the conversion of points into bookable travel or other high-value commodities.
  • Two case studies that illustrate real-world instances of this fraudulent activity, highlighting the scale and sophistication of these operations.
  • An analysis of the financial impact on both individual victims and the airline industry as a whole.
  • A detailed attempt to profile the threat actors involved in this specific form of cybercrime, including their typical characteristics, operational methods, and potential connections to larger cybercriminal networks.
  • An overview of the current detection and prevention measures employed by airlines and financial institutions, along with their effectiveness in combating this threat.

By providing this comprehensive examination, we aim to shed light on a lesser-known facet of cybercrime that intersects with the travel industry, demonstrating the ingenuity of threat actors in exploiting seemingly innocuous systems for financial gain.

Understanding Miles

Airline miles, also called frequent flier miles or travel points, are like rewards that airlines give to their loyal customers. They work kind of like this:

  • Earning: You get these miles when you fly with an airline, use certain credit cards, or sometimes through special promotions.
  • Value: Each mile is worth a small amount of money, but they add up over time.
  • Usage: You can use these miles to "buy" things, mostly related to travel. For example:some text
    • Free or discounted flights
    • Upgrades to better seats
    • Hotel stays
    • Car rentals
    • Sometimes even gadgets or gift cards
    • Accounts: Airlines keep track of your miles in a personal account, kind of like a bank account but for travel rewards.

The benefits of miles are airline dependant, many airlines have created a very elaborate ecosystem around their miles program to make it more elusive to use the specific airlines, these airlines are even more sought after in terms of demand

Dark Web Mentions

  • Threat actors are evolving to bypass current defenses. They use dark web forums and IRC chats to trade malicious products and services targeting the aviation sector.
  • We found two types of mentions on these forums. Despite their apparent differences, both lead to similar potential impacts on the airline:
    • Selling Miles as a way for Carding (Covered in detail below with a case study)
    • Selling Logs and accounts to exchange that for other condiments
Screenshot: one such TA selling logs for accounts in exchange for cryptocurrency

Messaging Platform Mentions

  • Telegram has become a popular platform for cybercriminals due to its anonymity features and minimal moderation.
  • Compared to forums with stricter sign-up processes, Telegram offers easier access, making it a prime marketplace for data trading among various criminal groups.
  • This is done to convert the existing currency they hold in FIAT currency, gift cards have been exploited in the same way since a long time. Similarly, purchasing credit cards is another popular way of trading currency

Following are some of the ways Threat Actors approach a potential buyer

1. Telegram Bot Automation

The first and foremost way of selling accounts are bots, they are used to automate the way purchases are made and removes the haggling from the purchaser. One such account was: @MilesBrokerBot

2. Manual Approach

The second way is manually approaching potential customers for selling mile accounts. Below is the conversation our sensitive source had with a Threat Actor which resulted in potential identification of the compromised account as well as the threat actor

  

Screenshot shared by the Threat Actor as proof of access 

  • We identified the threat actor's Bitcoin address: 18pYW4xwc9nL4LaNSKA1yUxi3b75bbzBRU
  • Blockchain analysis revealed transactions from a Binance hot wallet (bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h) to the threat actor's wallet. As Binance maintains KYC data, a legal complaint could potentially reveal the threat actor's identity.

Screenshot of metasleuth tool, used to check the transactions related to the TA wallet

How Does This Happen at Scale ?

Customer Credentials

Credential breaches are the backbone of all types of illegal activity and the rate of popularity is ever increasing. Credential breaches broadly include: 

  • Third party breached passwords which are reused:

The impact of these are typically less this requires password reuse of the same password in different spaces with elevated privileges which is generally countered by password policies in organizations

  • Infostealer malware infection logs:

These are more impactful as the stealer log gives the attacker complete URL as well as the username and password used to login

In the above given examples where a Threat Actor was selling accounts for miles, this kind of behavior can be averted by having multi-factor authentication on all business critical as well as customer endpoints

Once a threat actor has obtained credentials from free sources and credential brokers they use tools like OpenBullet  which aid in credential stuffing. The config files are sold/given for free on telegram as well.

OpenBullet config files being sold on Telegram

Recommendations

  • Adding MFA to customer login endpoints
  • Shortening the session time to make it difficult to exploit a session based attack
  • Continuous monitoring of customer leaked credentials on the Darkweb
  • Understanding the ecosystem of miles carding and making suitable changes to stop transfer of miles from a suspicious login attempt.
  • Adding robust behavioral detection on public login endpoints.

References