Cybercriminals need a vacation, too, and the soft but lucrative targets are loyalty points and fake loyalty points websites.
NordVPN reports that the scam goes like this.
Your personal details are in many of the hacked airline, hotel, travel, cab, tour, and booking websites. It does not have to be a loyalty points program; any hacked personal data works as the same modus operandi is used.
If you are in doubt about the extent of the breaches, there is a list here.
Darkweb AI is used (DarkBERT is the most malicious dark web AI. It’s coming after you again) to create duplicates of the real points website.
It also creates realistic phishing emails (now with perfect spelling and grammar) to create doubt that you need to check your points and change your password NOW. Or it may use other appeals, like register for double points, you have won a prize, or your points are expiring, and you need to convert them to shop gift cards.
You receive the email, panic, click the link, and go to the fake duplicate site. Naturally, you enter your membership number, password, or PIN, and voila, the cybercriminal has these details. The site responds that the server is down and to try again later (or some other excuse). The one-use fake site link then vanishes and redirects you to the real site, so you are none the wiser until your precious miles or loyalty points are gone.
NordVPN says hacked loyalty points program databases are ‘currency’ on the dark web.
Loyalty points programs and smaller Australian businesses are not known for their cybersecurity expertise.
Earlier this year, six million Qantas users had their data stolen. The sobering warning from the FBI was that the Qantas Frequent Flyer data breach is the first of many more transport-specific attacks.
MGM Hotels’ hack in 2020 revealed that 10,600,000 customers’ data was stolen.
Marriott’s attack in 2018 revealed 500 million customers’ data from Ritz-Carlton and Renaissance, Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio, and Design Hotels had been hacked.
The Ticketmaster hack had 560,000,000 names, email addresses, and phone numbers. What if you got a phishing email to get low-cost tickets for a Swiftie event!
We could go on, but the sad truth is that most of us have a dark web profile that these hacks are fleshing out. AI is then being used to monetise your data.
Three things you can do to stay safer.
- Never use the same password across sensitive accounts. Get an operating system agnostic paid password manager like LastPass or BitWarden, or use a password manager in your Antivirus/Malware app. I am not a fan of Google/Chrome, Microsoft/Bing, or Apple/Safari password managers, but they are OK if you must use them.
- Treat every email as a potential phishing email. Never click on a link or call any number in the email. Instead, go to the company’s website directly.
- Reputable AV companies like Trend Micro and Norton have phishing detection. I get up to 20 warnings a week from Trend, but my email address has been in use for over 35 years!
Remember if you fall victim to the loyalty points provider has no obligation to fix it as you gave your details to cybercriminals.
3 comments
Paul
Thanks very much Ray. I have decided to give it a go.
Paul
Hi Charlie, how do you find BITDEFENDER? Could you email me please.
Paul
Gold Coast
Ray Shaw
We have no direct experience with BITDEDEFENDER. It rates really poorly on Product review https://www.productreview.com.au/listings/bitdefender but CyberNews rates it well https://cybernews.com/best-antivirus-software/bitdefender-antivirus-review/ on a technical basis.