The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.
Listen to Motherboard’s new hacking podcast, CYBER, here.
I escape the constant horns and crowds of New York by dipping into a hotel in Times Square. I’m staying in this hotel for a fraction of the listed price, thanks to some enterprising fraudsters I found on a Russian forum. An established and booming underground trade allows people to stay in four and five star hotels at a steep discount, with sellers obtaining the rooms through stolen loyalty point accounts, abused employee discounts, or corrupted hospitality industry insiders. Many of these de facto travel agents also sell international, and sometimes business class flights on the cheap.
To investigate the how easy it is to engage with this trade, its pervasiveness, and the lax security protocols leading hotels have put in place to stop fraud, Motherboard bought a room in Times Square from an underground forum for $100, an over 50 percent reduction from the listed price. Other sellers offer 60 and 70 percent discounts, and flights are sold at half price or sometimes even cheaper. Motherboard found customers staying in hotels from New York to Bangkok, Cannes to Barcelona. It’s a worldwide and years-long practice operating in relative openness.
“How do we do it? Trade secret mate, just know that it involves booking with points in a way that makes it indistinguishable to a legit booking,” reads an item listing for cheap flights on Dream Market, likely the biggest dark web marketplace at the time of writing.
These underground travel agents are set up on a slew of crime sites and marketplaces. Most of the adverts and threads Motherboard reviewed were on Russian language forums, but others exist in English and Arabic. Some vendors also have their own websites wholly dedicated to providing dodgy travel services.
Typically, the travel agents advertise their price along with other information such as how many days in advance of travel the client can book. Some underground travel agencies offer all-inclusive services, with flights, hotels, and taxis all covered by one price, according to a website flagged to Motherboard by cybersecurity firm Trend Micro.
The travel agents’ advertisements are gltizy, over the top, and in your face, which is common on crime and fraud forums. Many have their own logos and fonts. One resembles the Instagram meme of an attractive woman leading the protagonist by the hand off into a scenic location. Others have speedboats, sports cars, and various landmarks pasted in the background, showing would-be customers the lifestyle they may want to emulate.
These agents put a heavy emphasis on customer service. Sellers often quickly move interested holiday goers away from the forums—which will typically have clunky and slow direct messaging systems—and onto messaging apps like Telegram or ICQ. Some travel agents even run semi-automated services, with bots on Telegram that a customer can interact with and then be directed to a verified seller for a hotel or flight, according to research from cybersecurity firm Digital Shadows.
In my case, I contacted multiple travels agents on Telegram, and asked if hotels in various cities were a possibility. One agent was willing to provide rooms in London; another said New York was an option, but “not all hotels can be done.” Usually, customers provide the travel agent with a screenshot from a hospitality aggregation site such as Booking.com or Trivago.com that includes their desired hotel and check-in and out dates.
After declining to book a room at my original choice of New York hotel, the agent I decided to work with provided the name of a hotel near Times Square. Other vendors in the digital underground often sell loyalty points for this hotel chain (Motherboard is not naming the specific hotel, as our test was to highlight a more general, industry-wide issue rather than calling out any single hotel in particular.) “100$ in btc,” the travel agent said when asked how much booking that room would cost. According to several price comparison sites, the room would typically cost over $200. I sent the travel agent the $100, provided my name, and they responded with a booking confirmation half an hour later. Of course, booking a hotel in your own name is going to break a customer’s hopes of anonymity, but if they wished to, they could decide to use a fake name or set of fraudulent identification documents.
Naturally, all of the services Motherboard encountered take their payment in the pseudo-anonymous cryptocurrency Bitcoin. Though the perceived anonymity can be a bonus, there’s another plus too—many customers have Bitcoin from their own scams or cybercrime escapades.
“For other cybercriminals of all sorts it is actually more convenient to buy tickets from their peers, rather than going through the process of exchanging money into a proper currency and then procuring tickets though a regular travel agency,” Vladimir Kropotov, Mayra Rosario Fuentes, and Fyodor Yarochkin, researchers for Trend Micro, wrote in a briefing document prepared for Motherboard.
After Motherboard sent the travel agent the $100 worth of bitcoin, they moved it to another bitcoin address that contained just over 9 BTC, or around $60,000.
The trade in these fraudulently obtained rooms and travel arrangements started as far back as 2005, according to Trend Micro. The business grew in popularity as airlines moved to electronic tickets, the researchers added.
“We see this more and more now compared to several years ago,” Trend Micro said.
Indeed, last year law enforcement targeted airline fraudsters and arrested 193 people participating in the scam. In May, the UK jailed Grant West, who went by the handle Courvoisier on dark web marketplaces. As part of his cybercrime operation, West used victim’s airmiles to fund gambling holidays in Las Vegas.
Motherboard took steps to ensure that the hotel we booked was bought with loyalty points (as opposed to a stolen credit card.) As some in the hospitality industry explained, transferring loyalty points is often allowed; sometimes, selling loyalty points is a terms of service violation, but not a crime. When asked for comment on one vendor selling airline loyalty points, for example, a spokesperson from Emirates said “We are aware that there has been a number of advertisements where members buy and transfer the miles they own amongst themselves. This does not mean the miles were fraudulently obtained. Emirates Skywards allows its members to transfer and gift miles to friends and family, and also purchase miles online under specific terms and conditions. Based on the screengrab you sent us, it is impossible for us to determine if these miles were obtained fraudulently.”
All of the hotels and airlines that responded to requests for comment said they take fraud seriously and have measures in place to stop it; Motherboard’s test indicates that there still are gaps in these protections.
Another travel agent’s advertisement thread on a Russian crime forum goes on for some 37 pages, with the majority of posts seeming to be positive reviews of the service. The reviews and comments for one agent is 72 pages long, with the most recent review posted just last week, which also praised the seller for sending tickets on time with no issues.
“It worked perfectly, sent a small crowd to Paris,” another review written in October reads.
With the reviews, many users also post photos from their plane, hotel, or elsewhere on their trip, so their vouch carries more weight. But these photos may come back to bite some of the reviewers.
Using clues in the photos, Motherboard successfully geolocated one fraudster to a high-end hotel in New York’s Times Square overlooking the Barclays building. Motherboard also found another scammer outside a casino in Cannes, France. Some of these people were trivial to geolocate thanks to their sloppiness or perhaps brazenness—the images included a piece of paper with the hotel’s branding, for instance. But others required a closer examination—an analysis of the skyline in one photo showed it was taken from a particular hotel in Bangkok.
In one case, the reviewer posted a photo of their boarding pass, with their name and other personal info redacted. However, the barcode of the boarding pass itself remained visible. Motherboard cropped the photo and used a free online tool that decodes boarding pass barcodes to reveal the name used for the booking.
Not all of these bookings are successful. In some cases, scammers may trigger fraud alerts from the hotel or airline. Seemingly in an effort to have a successful trip before anti-fraud measures kick in, some travel agents only allow booking from one to five days in advance.
“For 1-5 days all good hotels have already been bought up by 100%!” one user on a crime forum replied to a travel agent’s advertisement in Russian.
The Trend Micro researchers added that “when looking at the service agreements of these sellers they often reference ‘grace periods’ for card transactions to limit the chance the fraud is detected before the service is used.”
The travel agents “carefully study anti-fraud detection systems and have tricks to either bypass them or delay alerts so their customers would be able to use the service before the fraud is detected,” the researchers wrote.
And certainly not all of the trips are glamorous. Some Russian-language reviews show photos of a rather unsightly plate of chewy looking scrambled eggs and a few hunks of meat—hardly the 5 star holiday of an entrepreneurial hacker.
As with any other cybercrime enterprise, there are multiple parts that need to be strung together—sourcing the commodity, finding how other crooks can make use of it, and effectively monetizing it. Often there are many different people involved in different parts of that supply chain. In this case, some sellers focus purely on providing access to loyalty points or accounts, which the travel agents can use to book hotels for their customers. Or, people looking for cheap hotel rooms may want to skip the middleman and just buy the loyalty accounts themselves.
One seller on The Dream Market, for example, advertises stolen Hilton Honors points: just under $900 for 100,000 points. Depending on the room, a free stay at a Hilton resort can cost as little as 5,000 points, according to Hilton’s own website. Hilton did not respond to multiple requests for comment.
With that Hilton offering, the seller says they will transfer the points to your own account, or they’ll create a new one loaded with the points. Other vendors sell hijacked accounts in their own right.
“Do you understand that there is no replacement if account has 2FA verification? (it’s part of the game),” one listing for points from airline loyalty program JetBlue reads. In their product description, the seller adds that 2FA, or two-factor authentication, kicks in when a hacker triggers the company’s anti-fraud systems.
Beyond being in more of a legal grey area, the advantage loyalty points have over, say, buying the rooms with stolen credit cards, is that their use may raise less suspicion from hotels or airlines, and cut out fraud-spotting banks altogether. Several loyalty point and travel listings on the dark web are marked as ‘clean’ or ‘non-carded,’ likely meaning they weren’t obtained using a credit card.
Some of the loyalty points for sale on forums and marketplaces are probably grabbed through hacking a hotel customer’s account, perhaps through phishing or password reuse. Brent Flint, a customer of Air Miles Canada, told Motherboard he recently checked his loyalty app to find that his point balance was off. In that case, the hackers used the points to purchase a cellphone and a camera, Flint said in an online chat. The company did reimburse the points, but “we were concerned with the lack of security questions they asked my wife when she called them,” Flint said.
Researchers from Digital Shadows told Motherboard travel agents make fraudulent use of employee discounts and coupons as part of their operations, as well as potentially malicious hospitality insiders.
In all Motherboard contacted over a dozen airlines and hotel chains that appeared to be impacted by loyalty point fraud: one vendor on Dream Market was selling points for each of them. A handful did not reply, but most said they take fraud seriously, and exhorted customers to take care of the passwords for their loyalty point accounts.
“Delta encourages our customers to safeguard and regularly change their Delta login credentials to prevent attempts by bad actors not affiliated with us to gain access to their accounts,” a Delta Airlines spokesperson told Motherboard in a statement. One of the review images posted to a crime forum showed a fraudster sitting on a Delta flight.
The American Hotel & Lodging Association told Motherboard in an email this was not a scam it was familiar with.
My own booking went off without a hitch.
“Write me when you check in tomorrow,” my travel agent said in a Telegram message shortly beforehand. After getting to the hotel, I took some photos of Times Square from the room, had a whiskey at the bar, and sent the agent the all-clear message. “Ok,” the travel agent replied.