Botnet Operators Cash in on Travel Rewards Program Credentials

May 2, 2018

Flashpoint analysts have been tracking several small specialty shops in the Russian-language underground advertising access to the login credentials of customer accounts for travel and hospitality rewards points programs. Since the observed vendors appear to offer a small number of accounts from a large number of institutions, Flashpoint analysts believe the accounts were obtained incidentally while operating a botnet.

These shops make rewards-point abuse more accessible to fraudsters who lack the capabilities required to access customer accounts themselves. This also ties in with the broader trend of underground marketplaces lowering barriers to entry for cybercrime by bridging the skills gap.

The advertised credentials were likely harvested alongside numerous other user credentials for other websites, but were specifically selected due to their perceived value. The fact that multiple threat actors have chosen to operate specialty shops focused on travel- and hospitality-rewards accounts indicates a relatively high demand for these credentials in the Russian-language underground.

Rewards Point Fraud: An Ongoing, Evolving Trend

Last November, Flashpoint reported on Russian-language cybercriminal activity related to travel and hospitality rewards-point abuse. However, the threat actors involved in this previously reported case were likely using brute-force attacks to access accounts rather than collecting credentials from botnet logs. In addition, unlike previous research on Russian-language actors advertising their ability to book travel accommodations on behalf of their clients, the botnet operators operating these specialty shops claim to provide credentials for direct account access.

Botnet Operators Monetizing Incidentally Obtained Credentials

In the process of using Trojans with keylogging or form-grabbing capabilities to steal credentials for customer accounts at targeted institutions, botnet operators often unintentionally obtain account credentials for non-targeted websites. In contrast, actors using brute-force tactics to target specific institutions tend to advertise accounts from only a few institutions, with a large number of accounts available from each institution.

For operators with little interest in using unintentionally obtained credentials to commit fraud, selling these credentials on the Deep & Dark Web (DDW) is an easy means of monetizing their bycatch. While the resulting profits are likely to be low compared to other forms of fraud, it appears that the investment and effort put in by account sellers is also low.

Travel and Hospitality Rewards Account Shops on the Russian-Language DDW

Flashpoint analysts have observed multiple travel and hospitality rewards account shops on the Russian-language DDW that appear to be run by botnet operators. In addition to primarily selling credentials for travel- and hospitality-related websites, these shops are similar in terms of their tendency to offer a small number of accounts from a large number of institutions. For example, both shops advertise rewards account credentials for more than a dozen airlines but often list fewer than 10 accounts available per airline.


As with other forms of rewards point abuse observed on the DDW, Flashpoint analysts assess with a moderate degree of confidence that the sale of hospitality rewards program credentials by botnet operators will continue as long as it continues to be profitable for botnet owners. The most effective way for businesses and consumers to avoid falling victim to this practice, as well as other forms of credential theft, is to adopt best practices such as avoiding password reuse and changing passwords frequently. Businesses should also consider introducing two-factor authentication if the risk or potential impact of successful account takeover is sufficiently high.