May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 14, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
For at least the last two years, an ecosystem of fraud has been perpetrated by cybercriminals against nearly every major airline across the globe. Criminals have been acting as dark web travel agents, supplying customers with airline-specific accounts and credit cards, discounted flights and gift cards, tutorials for how to conduct this type of fraud, even going so far as to offer fraudulent tickets.
This blog is intended to highlight the flourishing scene on criminal marketplaces for airline-related information, including the selling of:
Throughout the research, we couldn’t help but think… why would someone willingly choose to buy likely stolen products and venture into some of the most highly controlled environments in the civilian world?
Among the marketplaces which are still operating today, Empire Market is one of the more well-known of the ever-shrinking players. Berlusconi Market, a market that shot up in popularity through 2019, ceased operations after three of the market’s admins were arrested in Italy. It’s unclear whether the site itself was seized, as the press release from Italy’s Guardia di Finanza merely stated the arrest of its’ admins. Among the airline accounts being offered for sale on Empire, Photon Research Team detected sellers offering accounts for most of the significant airlines within the United States as well as Europe.
The airline account advertisements work a bit differently than most offerings on criminal markets. Each of these accounts has an initial base price for an account, which is not that unusual. But what makes airline accounts unique is the airline miles or reward points that are attributed to each account. These are typically used as an incentive by airlines to encourage frequent flyers to stick with one airline and ensure recurring flights over time. The average base price for these accounts across various dark web marketplaces is $17. This typically includes access to the account and either a small number of mileage points or none at all. If a buyer wanted to purchase an account that had more points, they could, of course, do this for a fee.
Across the offerings that we analyzed, we put together the table below, which is the average price of the custom options for the accounts (higher mileage points). This means the full cost of an airline account (which has 30,000 reward points) is, on average, about $93.
There is obviously some room for interpretation here: for one, airline mileage points aren’t one to one comparisons when you go from one company to another. Meaning, one point at Southwest Airlines might not be equal to the same amount at Alaska Airlines.
Advertisements for accounts aren’t limited to airliners; hotels, trains, and third party booking services were listed as well with similar customization options as the airline offerings. In fact, one of the most expensive offerings we found was for a popular third-party booking site going for around $170, with the 90,000 mileage point add-on included.
Similar to standard credit cards, airline-specific credit cards are for sale across various criminal marketplaces. Ranging in prices due to several factors including freshness, completeness, and quantity of data, one automated vending cart (AVC) was seen selling airline-specific credit cards for between $13 and $20. One apparent reason why these prices are less than the accounts listed previously is that those sweet, sweet airline miles aren’t included. But what if you opened a new airline account and used your newly purchased airline credit card to start racking up points?
During our tour of the various dark web travel agencies, we discovered discounted gift cards were a hot commodity on the scene. Similar to reputable sellers of discounted gift cards like CardPool or GiftCardGranny, dark web travel agents are selling airline-specific gift cards and certificates at massive discounts, typically around 30-50% off retail value. Such a high percentage discount is unusual – legitimate retailers like those mentioned usually offer between 1-10% and rarely directly for airlines.
Delta gift card being sold on Empire Market
But how are vendors offering such massive discounts on these gift cards? There are a couple of different options to answer this:
It’s doubtful these vendors are purchasing gift cards at face value and offering steep discounts out of the goodness of their hearts, as excellent as that would be! We can’t say for sure exactly how these gift cards are being collected, but the result is likely a high-profit margin for vendors.
In addition to targeting airlines directly, fraudsters have also shown that they aren’t afraid to also target third-party booking companies. On platforms like the partly gated English-language cybercriminal forum RaidForums, users frequently share carding methods for sites like Expedia: exploiting features in the site’s checkout mechanism to use stolen credit cards for booking flights.
These types of sites are often perceived as having poor security, therefore being easier targets. While this isn’t necessarily always true, it can still help drive cybercriminals towards specific companies.
Discussion on the dark web forum Dread on cardable travel websites
Although the majority of cybercriminals are primarily financially motivated, some have also expressed more ideologically driven reasoning. While I’m sure we’ve all had bad experiences while traveling (a delayed flight, a wrong hotel room, unforeseen expenses), fraudsters have used these as justification for their actions. As one user stated on a dark web forum: “Basically, I’m taking advantage of predatory 3rd party travel sites […] They screw over consumers, and I screw them back”. In this case, cybercriminals were taking advantage of the booking company paying the airline as soon as the ticket was issued, resulting in a strict no-refund policy.
A user on the dark web forum Dread discussing reasons for targeting third-party travel companies
Tactics, techniques, and procedures (TTPs) is a critical component to understanding how to prevent this type of activity from continuing. Unfortunately, like a lot of things on criminal marketplaces and forums, specifics are difficult to come by. However, there were indicators as to how this activity was seemingly so widespread and operating under the radar.
Just like in the real world, on the cybercriminal landscape, threat actors typically have specializations. They become experts in a specific part of their trade and build up a reputation for being the best at what they do. The airline fraud industry is no different, and several individuals stick out as key players.
Patriarh
Perhaps one of the most flagrant, Patriarh, or “The Patriarch” runs a popular vacation booking service, amassing an almost cult-like following across multiple Russian-language criminal forums. Patriarh claims to be able to get customers deals up to 45-50% cheaper than Booking.com – what a deal! Although details on the techniques they use to get such competitive discounts are scarce, there’s a strong chance that Patriarh uses a combination of several TTPs outlined previously in this blog: Namely using stolen or fraudulent credit cards or airline miles.
Patriarh’s banner
Patriarh’s threads are littered with comments from happy customers, praising the service’s high quality: The Patriarh team offers 24 hours dedicated support via Telegram, mirroring the level of support you often see from more legitimate travel booking companies. Happy clients of Patriarh also typically post pictures from their vacations as proof that the service works: Photos typically include a hand-written “thank you” note in front of the view from a five-star hotel or first-class airline seat.
Picture from a happy customer thanking Patriarh
Serggik00
Serggik00 is another travel agent who offers vacation booking services and maintains a broad footprint on at least four Russian-language cybercriminal forums. Listings include the standard hotel and airline bookings, but Serggik00 also offers car rentals, excursions, and even weddings at steep discounts. They also claim to have provided services to famous bloggers and television stars. Like Patriarh, Serggik00 offers dedicated 24/7 online support, and forum threads are full of images from clients featuring messages of thanks, often written on hotel-branded paper, set against a background of a hotel room, airplane, swimming pool, or beach.
Picture from a happy customer thanking Serggik00 for a wonderful hotel and vacation to Spain
Rapesec
Rapesec is another prominent threat actor with a focus on travel-related fraud. However, unlike Patriarh and Serggik00, their offerings require a little more manual effort from the buyers. Rapesec has been active on several well-known criminal forums like Dream Market and Berlusconi since at least 2017 and claims to offer 60 percent discounts on flights and hotels. Buyers are requested to provide details of the trip they want to book, obtaining details from Expedia. Once the buyer gives rapesec screenshots of their dream vacation, the vendor will then create a custom listing to purchase through the marketplace.
Rapesec’s listing for vacation bookings on the now-defunct Berlusconi dark web marketplace
If one thing is clear, it’s that reputation matters. Much like ratings on legitimate platforms like Amazon or eBay, proof from satisfied customers is key to the success of any online vendor. Having a dedicated 24/7 support system can also make all the difference in having a happy customer; threat actors like Patriarh and Serggik00 have made this factor a crucial part of their service.
So why are these “dark web travel agent” services so popular? For one, it might seem less criminal to get someone to book a cheap vacation for you rather than doing it yourself. Mainly as these cybercriminals don’t overtly advertise the specific methods they use, their customers may just be happy to be left in the dark. Additionally, such services appear to be much more common in Russian-speaking forums: Going on extravagant holidays and posting about it all over social media is a status symbol, and sketchy services can give the luxury lifestyle to those that couldn’t afford it otherwise.
Curious how you can better monitor the dark web for your business? Check out the link below around how we can help, or check out our guide, Dark Web Monitoring: The Good, The Bad, and The Ugly.