Check Point Research reports that 29,880 new domains related to summer holidays were created in May. This is an increase of 23% compared to the same period last year. Of these domains, 1 in 83 were malicious or suspicious. Cybercriminals are thus capitalising on sentiment: With rising flight prices, people are looking for last minutes and benefits and are more likely to be tempted to follow a lucrative offer.
One method cybercriminals use is to offer hotel and airline accounts on which reward points are built up. These stolen accounts are offered for free or for sale on the Dark Web. Examples of such accounts include hotels such as Marriott and airlines such as Delta and AA. Cybercriminals also used a special tool to steal accounts from the Radisson hotel chain with the end goal of gaining access to accounts with reward points or linked payment cards.
Popular airlines are also used by cybercriminals to get personal data or money from targets. CPR's investigators found phishing emails imitating the airline Tap Air Portugal. In these, compensation was offered for allegedly delayed flights. This is how cybercriminals try to get people to click on a malicious link to steal data or money.
Malicious alternative "travel agencies"
Another tactic is to set up "travel agencies" on Russian underground hacking markets. These agencies offer airline tickets and hotel bookings at 45-50% discounted prices. However, these deals are ordered using stolen accounts from hotels, airlines and other travel-related websites.
"Patriarch Travel" operating from Russia offers buyers 45-50% off an original booking found on legitimate booking sites on the internet. These discounted prices come from stolen accounts of airlines and hotels.
"At a time when everyone is eager to book a holiday, consumers need to be extra careful," argues Zahier Madhar, security engineer at Check Point. "Primarily, it is important to always book through an authentic and trusted source and verify the website. If an offer seems too good to be true, it probably is. Furthermore, there are numerous websites that try to mimic a verified domain name, so watch out for extra letters or spelling mistakes. Finally, checking for the padlock is a good verification, if the URL starts with HTTPS, the website meets international requirements."
