As COVID-19 travel restrictions eased, scammers pounced

Written by

You can add travel-booking scams to the ways that cybercriminals have adapted to the pandemic-era economy.

After slashing prices on the hacking tools sold on underground forums and targeting remote-access software used for remote work, crooks have been monitoring the fluctuations in travel restrictions around the world for an opportunity to hawk illicit travel schemes, according to research published Tuesday by the threat intelligence firm Gemini Advisory.

The analysts found an uptick in travel-related chatter on over a dozen cybercriminal forums since July, around the time that countries in Europe began loosening travel controls. Mentions of travel-related issues on the forums went from roughly 100 per day in early June to more than 600 per day in early September, Gemini Advisory analysts said.

“Numerous dark web forum members and Telegram channels have resumed advertising travel services after being dormant during the peak of COVID-19 pandemic,” Gemini Advisory said in a blog post. “One prominent cybercriminal has posted travel advertisements daily on Telegram since the beginning of July, after making only three advertisements from March to June 28, 2020.”

The research spotlights a black market that has cost the airline industry some $1 billion annually, according to Europol. The schemes typically involve using stolen payment card data to book flights or other travel, and then selling those bookings at a steeply discounted price to customers who may be unaware they are participating in fraud. The cybercriminals have been using Telegram, an encrypted messaging platform, to tout photos purporting to show happy, vacationing customers.

Law enforcement agencies have tried to crack down. But the market has proved resilient, in part because of the ability of attackers to plant data-stealing code on booking websites. So-called Magecart-style attacks, which siphon off financial data, have hit multiple booking sites in recent years, including that of British Airways in an incident that affected half a million customers.

The findings shows how crooks will opportunistically flock to whatever scheme is most effective in the moment. At the height of travel restrictions, fraudsters tried to convince customers that they could still travel. One advertiser told customers that they still “reserve hotels in practically every town in Russia,” emphasizing the appeal of domestic travel, according to Digital Shadows, another dark-web intelligence firm.

Europe is now staring down another wave of the virus, with another round of travel limitations already underway. Ilya Volovik, an analyst at Gemini Advisory, expects scammers to shift to pushing other services yet again. The attackers typically “adopt new schemes according to their targets’ vulnerabilities or the demand for certain types of stolen data,” he said.