Reselling Hospitality: A Look at Hotel Rewards on the Dark Web

Just about any piece of data can be turned into money on the Dark Web – from social security numbers to utility bills to credit card information. Since everything is fair game, it should be no surprise that rewards points are just another piece of data on that list.

Look inside The Black Market Report, and you will find evidence that the travel miles you have been accumulating have caught the eye of the buyers and sellers in underground markets. In one case for example, access to a hacked rewards account for Southwest Airlines with at least 50,000 miles was being offered for $98.88. The same vendor offered another account with at least 100,000 miles for $148.88. Meanwhile, an account with 25,000 miles or more with Scandinavian Airlines was being sold for $34.99, and an account with 100,000 or more went for $89.99.

In addition to selling compromised accounts, cybercriminals may turn to mileage brokers that pay people to transfer points or attempt to redeem them through certain sites in exchange for gift cards. But there is another way for scammers to turn these accounts into money: underground travel agencies.

In some of the examples our Threat Resistance Unit (TRU) team found, cybercriminals used stolen rewards points or credit cards to purchase travel and hotel reservations for resale at reduced prices.

Besides saving buyers money, these underground booking operations also potentially offer a buyer the ability to travel and find lodging while staying off the radar. Armed with a stolen identity, someone could slip through borders and travel undetected – and do all of it on the cheap.

There are many ways thieves and scam artists can compromise rewards accounts, starting with stealing or brute-forcing the passwords of legitimate users. Unfortunately, many people take their online rewards accounts for granted, often failing to monitor the use of their accounts, implementing account passwords that are easily guessable, and re-using the same password across multiple sites. Complicating security even further is the fact that historically many of the programs did not require two-factor authentication for users to access their accounts. In that scenario, if a password gets compromised, it is often too late to prevent the theft.

So, what should you do as a consumer? First, follow best practices regarding passwords. Don’t share passwords across multiple sites and be sure to use passwords or personal identification numbers (PINs) that are not easily guessable. In other words, they should be easily recallable by YOU – but things that can be found with a Google Search, such as birthdays, names, as well as the infamous “123456” should not be used as passwords for guarding sensitive accounts. Passwords can also be stolen using malware or sniffed during man-in-the-middle attacks, making it vital that account holders keep their antivirus and software up-to-date, and are cautious when surfing the web and clicking on links on social media platforms.

To put a spin on a famous quote, a penny protected is a penny earned. While they might not seem as obviously valuable as credit cards or other data, the illicit market for stolen rewards points is growing strong.

To read the full report, visit: The Black Market Report: A Look into the Dark Web.

For additional cybersecurity best practices for the hospitality industry, checkout our joint blog and infographics with client OpenKey:

2017 Hasn’t Been Easy

Top 5 Industries Breached


Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals