A recent discovery made by Comparitech, the technology research company showed that a new product is sold on the online black market. Dark web vendors have been found selling frequent flyer miles – loyalty points offered by airlines which can be redeemed on a later date – on underground forums.
The discovery revealed that on Dream Market, the largest online black market, a single vendor sold loyalty points from “over a dozen different airline reward programs” that included Emirates Skywards, SkyMiles, and Asia Miles. The other illegal marketplaces that were selling flyer miles were Olympus and the Berlusconi Market.
“Across all vendors and marketplaces, Delta SkyMiles and British Airways were the most commonly listed. Prices are not consistent across vendors and seem to be based more on the vendor’s preference than supply and demand,” CompariTech blog post read. (https://www.comparitech.com/blog/information-security/how-much-are-stolen-frequent-flyer-miles-worth-on-the-dark-web/
These vendors were selling flyer miles in exchange for cryptocurrencies, namely Bitcoin and Monero. “The average minimum rate of a single batch of stolen flyers points is $31,” the researchers wrote.
The value of frequent flyer miles varies depending on the rewards program and what it is spent on, about trading them on the darknet the blog said, “airline points are typically worth between one and two cents each. So if we assume 100,000 miles (valued at $0.015 each) are worth $1,500, you can see the darknet prices come in at a fraction of the cost.”
Cryptocurrencies have historically been used as a way to sell value between cyber criminals, with the notorious ‘Silk Road’ dark web marketplace being a key example. The U.S. Department of Justice had announced in June 2018 the arrests of over 35 dark web vendors, seizing cryptocurrencies from the arrested criminals. At the time 2,000 Bitcoins were seized, coming to a value of $12 million then (June 2018).
According to an Australian study (https://www.deepdotweb.com/2018/01/08/research-47-bitcoin-transactions-involves-illegal-trading-mostly-darkweb/), 47% of all bitcoin transactions occur on the darknet and involve criminal activity.
According to the research done by analytical company, Recorded Future, (https://voiceofpeopletoday.com/crypto-currency-popular-darknet-hackers/) Monero is widely used in the Western world, while Russian cybercriminals prefer Litecoin. Monero is also considered to be the darknet queen.
So why would anybody buy stolen flyer miles? To redeem a flyer mile one has to produce ID proof for hotel booking or for actual airfare, but there are places where ID proofs are not required.
Many reward programs let users redeem points at local retailers, often through gift cards. Air Miles in March 2017 warned its users that stolen points were used to buy products from participating retailers.
Rewards expert and CEO of Frequent Flyer Bonuses Group, Patrick Sojka had said, “shoppers aren’t required to enter a password or PIN number when using their miles towards store purchases. Instead, they can opt for automatic check-out, input someone else’s account number and buy products.”
“There’s no true way to kind of prove that you’re actually the person who’s holding that Air Miles account,” Sojka added.
Flyer miles can also be resold, though it’s against the terms of service for most rewards programs, “Brokers typically buy unused points and use them to get business- and first-class upgrades and other bonuses for their clients. Brokers are wary of miles from hacked accounts that might be “tainted”, which is why dark web vendors often mark their miles as “clean”. This means the account hasn’t been flagged or shut down by the airline,” the blog said.
Hackers redeem points quickly after taking over an account and then sell the rewards themselves. In 2017, Russian hackers utilized stolen British air miles to purchase flight upgrades, hotels, and rental cars, which they then converted to legitimate-looking websites to unsuspecting customers.
Liv Rowley, cyber intelligence analyst told, “one advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone. They’re confident enough to travel in their own names using the stolen points.”