It is an automated way to test many valid login and password combinations in hopes of getting into someone else's account.
The travel industry is especially vulnerable to account fraud given the value contained within accounts - where customer accounts are either stolen or fake accounts are created at scale, and then monetized such as selling the account or transferring the reward points within.
I challenged myself to use my first-hand knowledge of bot-driven account fraud to find myself a deeply discounted vacation to the Caribbean for some fun in the sun.
Aero helped me narrow down which airlines and specific flights can be purchased using loyalty points within the next 60 days.
Without points, roundtrip flights from the Northeastern US to Aruba would have cost me $420 during the month of July.
Kasada's Q1 Quarterly Threat Report states that the average value of a frequent flier point, as determined by the cost of accounts being sold on criminal marketplaces, ranges from $0.0003 to $0.001, depending on the airline and the total points available to the account holder.
After a bit of searching, I found myself an account to purchase the 28k flier points for $22.40.
To recharge myself, I'm planning to stay for 7 nights and need a minimum of 400,000 points to stay in a higher category of hotel that would cost about $450 per night - because I deserve luxury and like oceanside views.
The seller advises me to login with wifi OFF and have a good IP address - and then to replace the original account owner's credit card info with my own, to ensure there's enough funds to cover my security deposit.
A stolen account loaded with 10,000 points is more than enough to get me a convertible for the week - for a cost of only $12. Dining & Souvenirs.
I can alternatively withdraw the funds into my own personal crypto wallet and then into my own bank account.
So to share my vacation and ensure my inevitable epic wakeboarding wipe-out goes viral, I've splurged on a social media account with 1,000 high quality followers.
The account for $4 is guaranteed to work for a month.
I didn't actually purchase any of these stolen accounts.
Given the stock of accounts and volume of confirmed purchases on secondary marketplaces, other people certainly do purchase these stolen accounts.
The blame can also be cast on ineffective anti-bot defenses that are still used and unable to detect the automated abuse of their customer's account logins using tools such as OpenBullet.
Times have changed, and the external evidence of account fraud is proof that the old way of stopping bots has run its course.
The impact on travel and hospitality businesses is exorbitant infrastructure and fraud costs, combined with irreparable brand damage every time a customer's account is breached.
There are real people losing their accounts and hard earned points, and while the companies often pay up for this fraud, sometimes the damage is irreparable due to loss of trust.
Request a free snapshot if you want to know whether your business has accounts up for sale and how many have been monetized based on the thousands of non-traditional sources we monitor.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 30 May 2024 15:13:06 +0000