Frequent flyer miles stolen are on sale on dark web

Share this…

Stolen frequent flyer accounts and its reward points are attractive assets on the dark web

Last August, a team of ethical hacking researchers conducted an analysis of at least six illicit product sales sites on the dark web to find out the value of frequent flyer miles stolen from their legitimate users.

In Dream Market, one of the largest black markets on the dark web, a vendor sells credits from more than a dozen different airline rewards programs, including Emirates Skywards, SkyMiles and Asia Miles. This provider offers at least 100k miles for the rewards program that the customer chooses, with prices rating $30 up to $800 UDS (the price changes according to the variations in cryptocurrencies value).

Delta SkyMiles and British Airways are the most commonly listed airlines in this type of sites, according to what experts in ethical hacking have been able to appreciate. In addition, prices are not consistent among different vendors and seem to be based more on unilateral vendor decisions than on supply and demand. Some of the airlines and tariffs that manage these sites are:

  • Aeromexico – 100k miles for $844 USD
  • British Airways – 100k miles for $124 USD
  • Delta (SkyMiles) – 2k miles for $30 USD
  • Emirates Skywards – 100k miles for $520 USD

All of these rates are based on the price of Bitcoin or Monero at the time of editing this article, so they are likely to be different later.

The actual value of the traveler miles varies according to the rewards program and what it is spent on. Airline credits are usually worth one to two cents apiece. So if we assume that 100k miles (valued at $15 each) are worth about $1.5k USD, it can be seen that the prices on dark web represent only a fraction of the actual cost.

Usually these stolen credits are not spent on real airline tickets or hotel reservations, as these operations require user’s identification.

Many rewards programs allow account holders to exchange credits in local businesses, often through gift cards. In March 2017, for example, Air Miles alerted members of its reward program that those credits were being used to buy products from participating businesses. The owners of these credits are not required to enter a password when they spend these points, and the local sales staff does not request identifications. Due to the lack of verification, stolen frequent flyer miles have become an attractive target for hackers.

Although it is against the terms of service of most rewards programs, points can also be resold. The grey market miles brokers abound in Google search results. These brokers usually buy unused points and use them to get business updates and first class and other bonuses for their customers, it should be noted that these brokers regularly do not buy hacked accounts that could be contaminated with some kind of malware.

According to experts in ethical hacking from the International Institute of Cyber Security, to obtain this information, hackers get the user’s credentials, either through attacks against the servers, or by deploying phishing campaigns. Once the hacker gets access to user accounts, he can sell stolen miles or transfer them to other accounts.