Cybercriminals Pose as Unofficial Travel Agents to Scam Consumers

As summer approaches, travel activity surges, with families and individuals eager to take advantage of the season for vacations and getaways. This increase in travel also brings a heightened risk of scams as cybercriminals exploit the demand for affordable travel services. Threat actors lure unsuspecting consumers with offers of heavily discounted flights, hotels, and car rentals—often up to 50% off. While these deals appear enticing, they are designed to steal personal and financial information, leaving victims with financial losses and ruined travel plans. Travelers must remain vigilant and cautious, verifying the legitimacy of such offers to protect themselves from these deceptive schemes.

Cybercriminals involved in travel scams profit by exploiting stolen financial information, including credit card data, which they either purchase on digital fraud-based marketplaces or obtain directly using information-stealing malware. Their primary objective is to convert the stolen data into cash.

However, this process is not as straightforward as withdrawing money from an ATM, as cybercriminals often lack the physical cards themselves. Instead, they possess only the information necessary to make online purchases. Attempting to add these stolen cards to legitimate payment processors like Venmo or PayPal is risky, as these platforms typically require verification steps, such as providing a three-digit code from a bank statement, which the cybercriminals do not have access to. As a result, a workaround or ‘cash-out’ method has emerged: cybercriminals aim to convert stolen credit cards into cash by exploiting hotel booking systems. They target hotels that may not have activated multi-factor authentication (MFA) or two-factor authentication (2FA) processes, using stolen credit cards registered in the same state or location as the hotel.

Cybercriminals create advertisements offering up to 50% discounts on hotel room bookings. These advertisements attract unsuspecting consumers and other cybercriminals who are enticed by the significant discount. Interested individuals then send payment to the cybercriminals behind the advertisement, typically in the form of cryptocurrency, to reserve their stay. By employing this method, the criminals effectively launder the stolen money. The hotel receives payment from the stolen credit card used by the cybercriminal to book the room, while the cybercriminal receives untraceable cryptocurrency from the person they booked the room for. This process allows the criminals to convert the stolen credit card information into clean, untraceable funds.

While some hotels may have policies in place to request the original payment method to be presented at check-in, not all hotels enforce such measures consistently. This lack of strict payment verification allows cybercriminals to circumvent this safeguard and successfully carry out their fraudulent scheme.

The image above shows an example of a service advertised on a cybercrime forum. It's unclear if the buyers of this service are aware of the situation, but if they are, there is a clear opportunity for them to resell and profit from other unsuspecting consumers.

We know this is a common ‘cash-out’ method because it is openly advertised in the 'cash-out' section of some of the more exclusive financial fraud forums (see below), indicating a lesser degree of obscurity.

There is also evidence that cybercriminals are actively seeking cold email infrastructure to mass-mail discounted offers to unsuspecting customers on both personal and enterprise email accounts. Cybercriminals often attempt to buy stolen SMTP credentials from cybercrime forums. These credentials typically belong to businesses or consumers with good domain or email reputations, enabling criminals to send out fraudulent emails more effectively. While customers on cybercrime forums may be aware that the services are obtained illegally, innocent consumers who receive such offers via email are most likely unaware of the illicit origins of these too-good-to-be-true deals.

With debit and credit card information available for less than a dollar per card on digital stores, this scheme is undeniably profitable. If a cybercriminal could sell this service to just one customer for $200-$300, which is the average nightly rate at an average four-star hotel, it would be extremely lucrative.

Although the method outlined in this article primarily targets consumers, there is evidence to suggest that cybercriminals are also using compromised SMTP credentials to send these scam offers in bulk. When they're purchasing these lists and sending these offers, they're also likely going to hit many enterprise email inboxes as part of a "spray and pray" tactic.

To protect your employees from falling victim to these email-based scams, consider implementing an advanced inbound email security solution like Abnormal. Our AI-powered platform understands human behavior better than humans do, detecting any deviance from normal behavior using machine learning and advanced large language models. This provides your organization with the layered defense needed to prevent malicious emails from reaching inboxes and tricking your employees.

Interested in learning more about how Abnormal protects your inbox? Schedule a demo today!