Russian cyber criminals stealing British people's reward points and airmiles to go on luxury holidays

British couple finds hotel room in Spain booked for 'Dimitri and Olga' using their Avios account 

Lizzie Dearden
Home Affairs Correspondent
Tuesday 21 November 2017 19:01 GMT
Five-star hotels and cruises have been bought from illicit sites
Five-star hotels and cruises have been bought from illicit sites

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Russian cyber criminals are using British victims' reward points and airmiles to enjoy luxury holidays at budget prices, a report has revealed.

Research by security firm Flashpoint uncovered a thriving online marketplace where illicit “booking services” offer discounts at the expense of genuine customers in the UK and elsewhere.

The fraud sees lucrative rewards sites accessed through compromised bank accounts and credit cards, usually without the owner’s knowledge, and used to purchase hotel rooms, flights, cruises and car rentals.

One British couple only found out 30,000 points had been stolen from their Avios account after a hotel was booked for three nights in Spain, using one legitimate name as the lead traveller alongside “Dimitri and Olga”.

Several other travellers have found points being used for Russian flights, including one from Moscow to Kiev and an internal Russian flight for two passengers, or hotels in the country like the 5* Intercontinental Moscow.

Flashpoint analysts told The Independent the Russian-speaking and English-speaking marketplaces were the biggest in the fraudulent trade, followed by French and Spanish.

Liv Rowley, one of the report’s authors, said it was part of a “cyber criminal ecosystem” incorporating hackers and middle-men who purchase and sell on the necessary details.

​“They’re real services and points but going to the wrong person,” she explained.

A picture taken by a customer on a trip booked through a Russian-language 'booking agency' featuring a note referencing the vendor’s illicit services (Flashpoint )
A picture taken by a customer on a trip booked through a Russian-language 'booking agency' featuring a note referencing the vendor’s illicit services (Flashpoint ) (Flashpoint)

“We believe that this is actually working,” she added, describing photos posted online by jubilant holidaymakers and happy reviews on illicit websites.

“I believe the people taking part in this knowing it’s illegal. A lot of the listings we see include flights at 30 or 25 per cent of the listing price.

“If you’re buying a flight for only a quarter of its value, there’s probably something and weird.”

One Russian-language forum has established its own group of members dedicated to cyber crime targeting hotels, while another offers plane tickets to anywhere in the world – apart from Russian domestic flights.

On the now-defunct AlphaBay Market, 3,601 customers purchased one provider’s fraudulent hotel and car rental services between March 2015 and December last year.

Researchers said it was impossible to tell the success rate of the fraud, which should be thwarted by identification checks by airlines, hotels and car rental companies.

Some sites have been encouraging customers to make reservations in their own names, as attempting to fake a passport or travel document is too risky.

“Some people commenting on forums posts say they experienced a bit of difficulty,” Ms Rowley said.

An English-language vendor offering both carded and non-carded flights for 25 per cent of the total cost of the flight (Flashpoint )
An English-language vendor offering both carded and non-carded flights for 25 per cent of the total cost of the flight (Flashpoint ) (Flashpoint)

“Hotels can ask to see the card the booking was made under but they don’t have the information, so they find a way to get out of it by coming up with lies like ‘I lost my wallet’ or ‘it was present’.”

Although several known sites have been shut down, cyber criminals are moving to other platforms to offer their wares, which also include retail gift cards.

Ms Rowley one major American bank was getting hit by so much fraud from Russian-language perpetrators that it blocked the purchase of all flights going in and out of the country.

Providers have been refunding stolen points but Flashpoint is urging people to frequently check their reward accounts or set up alerts for anomalies, while ensuring their online bank accounts are under maximum security and being aware of phishing attempts and other scams.

So-called “brute-forcing software”, which runs through a large number of possible password combinations until the correct one is determined, is one of the many ways the accounts can be compromised so complexity and variation is key.

The warning comes after security officials said that Russian-speaking countries pose the “number one cyber crime threat to the UK”.

Billions of pounds have so far been lost in online attacks that are affecting British people every day, following the huge WannaCry ransomware attack that crippled the NHS.

Around 1.8 million cyber-dependent crimes took place last year, according to the Crime Survey for England and Wales, mostly from online criminals seeking profit.

“Things are likely to get worse before they get better,” said Oliver Gower, head of the National Cyber Crime Unit.

“With innovative criminal capability available to the highest bidder, it is inevitable that hostile states will explore its possibilities, and conversely that very entrepreneurial cyber criminals may seek to steal data in order to sell to states.”

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in