Dark web vendors have been found selling frequent flyer miles on underground forums. In August, around half a dozen illicit marketplaces on the Dark web were explored by security experts, who discovered how much each stolen frequent flyer reward point is worth.
According to security researchers at CompariTech, who discovered the dark web sales of the frequent flyer miles, cybercriminals have been selling the stolen reward points of customers of popular airlines such as Emirates Skywards, SkyMiles and Asia Miles. This data was found up for sale on highly popular dark web markets such as the Dream Market, Olympus and the Berlusconi Market.
“Across all vendors and marketplaces, Delta SkyMiles and British Airways were the most commonly listed. Prices are not consistent across vendors and seem to be based more on the vendor’s preference than supply and demand,” CompariTech researchers said.
The dark web vendors were demanding either Bitcoin or Monero in exchange for the data. The average minimum rate of a single batch of stolen flyers points is $31, the researchers discovered.
“On Dream Market, one of the largest black markets on the dark web, a single vendor sells reward points from over a dozen different airline reward programs, including Emirates Skywards, SkyMiles, and Asia Miles. Going by the handle @UpInTheAir, they sell a minimum of 100,000 points for the reward program of your choice, starting out at $884 as of the time of writing (this was probably $1,000 originally, but Bitcoin price fluctuations caused it to go down),” the researchers explained.
Cybercriminals can gain access to airlines miles through various means – by breaching a data server or by using phishing emails. Apart from selling the data on the dark web, the hackers can use redeem points for various other purposes, including purchasing flight upgrades, hotels and rental cars.
To protect reward points from being hacked by cybercriminals, researchers suggested that users follow some simple security tips like shredding boarding passes after a journey is completed, and using strong and unique passwords to protect accounts. Users should also monitor their accounts periodically for any suspicious activities.