For at least the last two years, an ecosystem of fraud has been perpetrated by cybercriminals against nearly every major airline across the globe. Criminals have been acting as dark web travel agents, supplying customers with airline-specific accounts and credit cards, discounted flights and gift cards, tutorials for how to conduct this type of fraud, even going so far as to offer fraudulent tickets.

This blog is intended to highlight the flourishing scene on criminal marketplaces for airline-related information, including the selling of:

  • Airline accounts
  • Credit cards issued from specific airlines
  • Discounted gift cards
  • Other airline services

Throughout the research, we couldn’t help but think… why would someone willingly choose to buy likely stolen products and venture into some of the most highly controlled environments in the civilian world?

Stolen airline accounts on the dark web

Among the marketplaces which are still operating today, Empire Market is one of the more well-known of the ever-shrinking players. Berlusconi Market, a market that shot up in popularity through 2019, ceased operations after three of the market’s admins were arrested in Italy. It’s unclear whether the site itself was seized, as the press release from Italy’s Guardia di Finanza merely stated the arrest of its’ admins. Among the airline accounts being offered for sale on Empire, Photon Research Team detected sellers offering accounts for most of the significant airlines within the United States as well as Europe.

The airline account advertisements work a bit differently than most offerings on criminal markets. Each of these accounts has an initial base price for an account, which is not that unusual. But what makes airline accounts unique is the airline miles or reward points that are attributed to each account. These are typically used as an incentive by airlines to encourage frequent flyers to stick with one airline and ensure recurring flights over time. The average base price for these accounts across various dark web marketplaces is $17. This typically includes access to the account and either a small number of mileage points or none at all. If a buyer wanted to purchase an account that had more points, they could, of course, do this for a fee.

southwest airlines dark web points for sale

Across the offerings that we analyzed, we put together the table below, which is the average price of the custom options for the accounts (higher mileage points). This means the full cost of an airline account (which has 30,000 reward points) is, on average, about $93.

Average add-on price for higher mileage accounts
1 – 25,000 25,001 – 50,000 50,001 – 100,000 100,000+
 $    30.28  $             76.57  $             101.86  $ 166.33

There is obviously some room for interpretation here: for one, airline mileage points aren’t one to one comparisons when you go from one company to another. Meaning, one point at Southwest Airlines might not be equal to the same amount at Alaska Airlines.

Advertisements for accounts aren’t limited to airliners; hotels, trains, and third party booking services were listed as well with similar customization options as the airline offerings. In fact, one of the most expensive offerings we found was for a popular third-party booking site going for around $170, with the 90,000 mileage point add-on included.

Similar to standard credit cards, airline-specific credit cards are for sale across various criminal marketplaces. Ranging in prices due to several factors including freshness, completeness, and quantity of data, one automated vending cart (AVC) was seen selling airline-specific credit cards for between $13 and $20. One apparent reason why these prices are less than the accounts listed previously is that those sweet, sweet airline miles aren’t included. But what if you opened a new airline account and used your newly purchased airline credit card to start racking up points?

The gift(cards) that keep on giving

During our tour of the various dark web travel agencies, we discovered discounted gift cards were a hot commodity on the scene. Similar to reputable sellers of discounted gift cards like CardPool or GiftCardGranny, dark web travel agents are selling airline-specific gift cards and certificates at massive discounts, typically around 30-50% off retail value. Such a high percentage discount is unusual – legitimate retailers like those mentioned usually offer between 1-10% and rarely directly for airlines.

Delta gift card sold on Empire dark web market

Delta gift card being sold on Empire Market

But how are vendors offering such massive discounts on these gift cards? There are a couple of different options to answer this:

  1. Purchased with airline points: Airline points can be redeemed for gift cards or other “store credit” gift items like bags or airline trinkets. Redeeming points from stolen accounts to buy gift cards or certificates and, in turn, selling them could provide a good cash out method for threat actors.
  2. Purchased with stolen credit cards: Cybercriminals don’t exclusively sell their stolen data to others; they can use them for various purposes either before they’re sold or detected being used for fraud.
  3. Gift cards themselves are stolen: Just like credit cards, gift cards have an account number and security codes. These cards may be showing up in the same card dumps that criminals are gathering.

It’s doubtful these vendors are purchasing gift cards at face value and offering steep discounts out of the goodness of their hearts, as excellent as that would be! We can’t say for sure exactly how these gift cards are being collected, but the result is likely a high-profit margin for vendors.

In addition to targeting airlines directly, fraudsters have also shown that they aren’t afraid to also target third-party booking companies. On platforms like the partly gated English-language cybercriminal forum RaidForums, users frequently share carding methods for sites like Expedia: exploiting features in the site’s checkout mechanism to use stolen credit cards for booking flights.

These types of sites are often perceived as having poor security, therefore being easier targets. While this isn’t necessarily always true, it can still help drive cybercriminals towards specific companies.

Discussion on the dark web forum Dread on cardable travel websites

Discussion on the dark web forum Dread on cardable travel websites

Although the majority of cybercriminals are primarily financially motivated, some have also expressed more ideologically driven reasoning. While I’m sure we’ve all had bad experiences while traveling (a delayed flight, a wrong hotel room, unforeseen expenses), fraudsters have used these as justification for their actions. As one user stated on a dark web forum: “Basically, I’m taking advantage of predatory 3rd party travel sites […] They screw over consumers, and I screw them back”. In this case, cybercriminals were taking advantage of the booking company paying the airline as soon as the ticket was issued, resulting in a strict no-refund policy.

A user on the dark web forum Dread discussing reasons for targeting third-party travel companies

A user on the dark web forum Dread discussing reasons for targeting third-party travel companies

Dark Web Travel Booking Tutorials

Tactics, techniques, and procedures (TTPs) is a critical component to understanding how to prevent this type of activity from continuing. Unfortunately, like a lot of things on criminal marketplaces and forums, specifics are difficult to come by. However, there were indicators as to how this activity was seemingly so widespread and operating under the radar.

  • Last-minute booking with fraudulent details
    In an attempt to answer a question about how vendors can offer flights for such drastic discounts, one user posited that threat actors would book flights using stolen credit card details, hacked air miles/loyalty point accounts, or fraudulently using coupons.  These flights would be booked at the last minute so that when the airline notices the fraud, it will be too late, and the flight will already have been completed.
  • Carding method for hotel or flight booking
    Technical details were also provided for how to schedule the flight or book the hotel within a tutorial acquired by Digital Shadows (now ReliaQuest). The details were fairly basic, including clearing the browser cookies, changing the MAC address of the computer, using a VPN, and use of an email address with the cardholder’s name included. There were specifics on ways to purchase the ticket or book the hotel, but overall there was not a super-secret vulnerability these criminals were exploiting; they were taking advantage of the system rather than breaking it.
  • Exploiting third-party services
    Though it’s unclear exactly why this is the case, threat actors seem to take advantage of third-party booking services to schedule their trips. Since a third-party service is another step removed from having to book directly on an airline or hotel’s website, this may give fraudsters additional time before their activity is detected.

Threat actors: Meet your Travel Agents

Just like in the real world, on the cybercriminal landscape, threat actors typically have specializations. They become experts in a specific part of their trade and build up a reputation for being the best at what they do. The airline fraud industry is no different, and several individuals stick out as key players.

Patriarh

Perhaps one of the most flagrant, Patriarh, or “The Patriarch” runs a popular vacation booking service, amassing an almost cult-like following across multiple Russian-language criminal forums. Patriarh claims to be able to get customers deals up to 45-50% cheaper than Booking.com – what a deal! Although details on the techniques they use to get such competitive discounts are scarce, there’s a strong chance that Patriarh uses a combination of several TTPs outlined previously in this blog: Namely using stolen or fraudulent credit cards or airline miles.

Patriah dark web

Patriarh’s banner

Patriarh’s threads are littered with comments from happy customers, praising the service’s high quality: The Patriarh team offers 24 hours dedicated support via Telegram, mirroring the level of support you often see from more legitimate travel booking companies. Happy clients of Patriarh also typically post pictures from their vacations as proof that the service works: Photos typically include a hand-written “thank you” note in front of the view from a five-star hotel or first-class airline seat.

Patriarh dark web example

Picture from a happy customer thanking Patriarh

Serggik00

Serggik00 is another travel agent who offers vacation booking services and maintains a broad footprint on at least four Russian-language cybercriminal forums. Listings include the standard hotel and airline bookings, but Serggik00 also offers car rentals, excursions, and even weddings at steep discounts. They also claim to have provided services to famous bloggers and television stars. Like Patriarh, Serggik00 offers dedicated 24/7 online support, and forum threads are full of images from clients featuring messages of thanks, often written on hotel-branded paper, set against a background of a hotel room, airplane, swimming pool, or beach.

Serggik00 dark web

Picture from a happy customer thanking Serggik00 for a wonderful hotel and vacation to Spain

Rapesec

Rapesec is another prominent threat actor with a focus on travel-related fraud. However, unlike Patriarh and Serggik00, their offerings require a little more manual effort from the buyers. Rapesec has been active on several well-known criminal forums like Dream Market and Berlusconi since at least 2017 and claims to offer 60 percent discounts on flights and hotels. Buyers are requested to provide details of the trip they want to book, obtaining details from Expedia. Once the buyer gives rapesec screenshots of their dream vacation, the vendor will then create a custom listing to purchase through the marketplace.

A user on the dark web forum Dread discussing reasons for targeting third-party travel companies

Rapesec’s listing for vacation bookings on the now-defunct Berlusconi dark web marketplace

When booking your next holiday…

If one thing is clear, it’s that reputation matters. Much like ratings on legitimate platforms like Amazon or eBay, proof from satisfied customers is key to the success of any online vendor. Having a dedicated 24/7 support system can also make all the difference in having a happy customer; threat actors like Patriarh and Serggik00 have made this factor a crucial part of their service.

So why are these “dark web travel agent” services so popular? For one, it might seem less criminal to get someone to book a cheap vacation for you rather than doing it yourself. Mainly as these cybercriminals don’t overtly advertise the specific methods they use, their customers may just be happy to be left in the dark. Additionally, such services appear to be much more common in Russian-speaking forums:  Going on extravagant holidays and posting about it all over social media is a status symbol, and sketchy services can give the luxury lifestyle to those that couldn’t afford it otherwise.

Curious how you can better monitor the dark web for your business? Check out the link below around how we can help, or check out our guide, Dark Web Monitoring: The Good, The Bad, and The Ugly.