Advertisement

As COVID-19 travel restrictions eased, scammers pounced

You can add travel-booking scams to the ways that cybercriminals have adapted to the pandemic-era economy.
Getty Images

You can add travel-booking scams to the ways that cybercriminals have adapted to the pandemic-era economy.

After slashing prices on the hacking tools sold on underground forums and targeting software used for remote work, crooks have been monitoring the fluctuations in travel restrictions around the world for an opportunity to hawk illicit travel schemes, according to research published Tuesday by the threat intelligence firm Gemini Advisory.

The analysts found an uptick in travel-related chatter on over a dozen cybercriminal forums since July, not long after countries in Europe began loosening travel controls. Mentions of travel-related issues on the forums went from roughly 100 per day in early June to more than 600 per day in early September, Gemini Advisory analysts said.

“Numerous dark web forum members and Telegram channels have resumed advertising travel services after being dormant during the peak of COVID-19 pandemic,” Gemini Advisory said in a blog post. “One prominent cybercriminal has posted travel advertisements daily on Telegram since the beginning of July, after making only three advertisements from March to June 28, 2020.”

Advertisement

The research spotlights a black market that has cost the airline industry some $1 billion annually, according to Europol. The schemes typically involve using stolen payment card data to book flights or other travel, and then selling those bookings at a steeply discounted price to customers who may be unaware they are participating in fraud. The cybercriminals have been using Telegram, an encrypted messaging platform, to tout photos purporting to show happy, vacationing customers.

Law enforcement agencies have tried to crack down. But the market has proved resilient, in part because of the ability of attackers to plant data-stealing code on booking websites. So-called Magecart-style attacks, which siphon off financial data, have hit multiple booking sites in recent years, including that of British Airways in an incident that affected half a million customers.

The findings shows how crooks will opportunistically flock to whatever scheme is most effective in the moment. At the height of travel restrictions, fraudsters tried to convince customers that they could still travel. One advertiser told customers that they still “reserve hotels in practically every town in Russia,” emphasizing the appeal of domestic travel, according to Digital Shadows, another dark-web intelligence firm.

Europe is now staring down another wave of the virus, with another round of travel limitations already underway. Ilya Volovik, an analyst at Gemini Advisory, expects scammers to shift to pushing other services yet again. The attackers typically “adopt new schemes according to their targets’ vulnerabilities or the demand for certain types of stolen data,” he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts