The Business of Fraud: Travel, Hospitality, and Loyalty Fraud

Posted: 5th May 2022
The Business of Fraud: Travel, Hospitality, and Loyalty Fraud


Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future® Platform, dark web and special-access sources, and open-source intelligence (OSINT) between January 2021 and January 2022 to observe the primary tactics, techniques, and procedures (TTPs) used by cybercriminals to perform fraudulent activities against airlines, travel, and hospitality organizations and services. This report expands upon findings addressed in the first Insikt Group Fraud Series report, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”.

Editor’s note: This research covers January 2021 to January 2022. Since then, the following dark web sources are no longer in operation: ToRReZ Market (January 2022) and Dark0de Reborn (February 2022).

Executive Summary

Airline and hospitality fraud is a general term that refers to illegal activities that target airlines, hotels, booking platforms, and other travel accommodation services providing car rentals, excursions, and more. Many of these services use loyalty programs where regular customers are rewarded with points that can be redeemed for free rewards. The popularity of these loyalty programs has led many other industries outside of travel and hospitality to begin implementing similar programs; the programs have also attracted the attention of scammers.

Airline and hospitality fraud includes various tactics, techniques, and procedures (TTPs) and is performed by threat actors on various forums, marketplaces, shops, and public messaging platforms. We analyzed our data sets from January 2021 to January 2022 and identified the most common TTPs used by threat actors to perform travel and loyalty fraud, the dark web and special-access sources that are popular among the threat actors engaged in this activity, and the specific threat actors who focus their efforts on advertising these criminal activities.

Key Findings
  • Cybercriminals primarily use dark web forums, marketplaces, social media (such as Telegram) and shops to advertise services, counterfeit documents, and compromised user accounts that facilitate fraudulent activities against airline, hotel, and hospitality-related industries.
  • The following TTPs were identified as being the most widely used by cybercriminals to target customers of airlines, hotels, and hospitality-related organizations: travel-themed phishing, fraudulent travel agency operations, sales and advertisements of travel fraud-related tutorials, and sales of compromised networks, user accounts, and databases that contain reward/loyalty points and personally identifiable information (PII) that could be used towards social engineering, money laundering, and other attack vectors.
  • Cybercriminals are selling fake COVID-19 vaccination documents on dark web sources. There continues to be a high demand for such documents, which many countries require for travel.

Services and activities that facilitate travel fraud have been both widely advertised and in high demand by threat actors since the inception of cyber-enabled crime. Cybercriminals primarily use stolen card-not-present (CNP) data and reward/loyalty points from compromised bank accounts to purchase flights, hotels, and other travel-related activity. Threat actors have continued to update their tactics in harvesting reward/loyalty points via compromised accounts, scamming victims into providing their travel-related documentation and data, and marketing updated how-to methods on defeating hotel and airline reservation services, among other activities. Despite the decline in air travel during the COVID-19 pandemic, an open source reported that the airline industry saw a 530% increase in cyberattacks directed at them. As the lockdowns from COVID-19 began to lift and international borders began to reopen, threat actors noticed an increase in demand for counterfeit COVID-19 vaccination documents and created a black market for them.

In 2021, Insikt Group observed approximately 4,000 references related to fraudulent activities targeting airlines and hotels worldwide. The following are the primary types of fraudulent methods being used:

  • Advertisements for fraudulent travel agency services
  • Listings of compromised accounts that contain rewards points
  • Phishing and scam websites used to harvest PII and travelers’ data
  • Advertisements for counterfeit COVID-19 vaccination statuses and certificates
  • Using compromised payment methods to purchase flight tickets and book hotels and other services

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.