Sky-High Stakes: Combating Cyber Fraud in the Aviation Industry

Fraudulent cyber attacks targeting the airline industry are a common issue largely seen coming out of the underground, such as the deep and dark web. According to RSA Security, airlines are the industry most affected by online fraud, accounting for 46% of fraudulent transactions. As a result, the financial costs for airlines are huge with losses due to fraud estimated at 1.2% of the total global airline revenue. 

Over the past few years, BlueVoyant has observed a significant spike in threat actors targeting the aviation industry worldwide, due to airlines’ increasing reliance on online booking and reservation platforms. These online tools make it more convenient for customers to purchase airline tickets and have become an industry standard, but also have made it easier for fraudsters to exploit vulnerabilities in online systems. The significant disruption and increase in remote work caused by the COVID-19 pandemic also caused an increase in fraud in the recent years. 

Posts offering flight tickets or compromised accounts with frequent flyer miles or reward points at advantageous prices are very common in underground forums, chat platform groups, and even on social media.

Discounted Tickets

The method that threat actors commonly use to sell flight tickets at reduced prices typically involves using compromised credit cards to purchase the tickets. These kinds of posts are frequently seen in the underground market targeting airlines worldwide. 

Below is an example of a threat actor advertising flight tickets from several airlines at discounted prices.

In these cases, threat actors usually purchase the flight tickets a few hours before the flight, reducing the likelihood that the airlines will identify the fraud in time.

Below is an example of a conversation among threat actors in a Spanish-speaking underground group, discussing that flight tickets should be issued within 24 hours before the flight to avoid cancellation:

Compatible BIN Numbers 

It is also common to see posts in underground forums where threat actors seek specific credit card BINs that perform well when booking with certain airlines.

In the screenshot below, a threat actor has posted a fraud tutorial, suggesting two specific credit card BINs that would work best when booking flights using stolen payment card details: 

Compromised Travel Agent Consoles

Nevertheless, some threat actors obtain tickets by hacking travel agents' accounts or conducting fake bookings. Below is an example of a post in an underground forum where a threat actor was offering access to a travel ticket panel for sale.

In the post, the threat actor mentioned that the panel provides the ability to instantly issue plane tickets under any name, on any airline, to any destination. Furthermore, the threat actor noted that the access comes from a big company with many accounts, making it difficult for the breach to be detected. 

In another post shared in an underground forum, a threat actor offers access to a Turkish Travel Booking System, and even shared the credentials to log into the system. 

Compromised Frequent Flyer Accounts 

Frequent flyer programs are also heavily targeted in the underground market as another way to issue fraudulent flight tickets. Threat actors offer compromised frequent flyer account credentials for sale, often at advantageous prices. These credentials, which include frequent flyer miles or reward points, are obtained through fraudulent methods such as phishing or hacking into customer accounts.  The attackers then steal points or miles and redeem them for flights or other rewards. Access to the compromised accounts themselves is then sold separately. 

Below is a screenshot from threat actors offering compromised accounts for sale in underground groups and black markets: ​

Below are screenshots from black markets offering compromised accounts with frequent flyer miles or reward points for sale: 

Fraudulent activities such as the ones shown above can lead to financial losses for airlines due to chargebacks, increased operational costs for fraud prevention, and damage to the airline's reputation.

To combat this kind of fraud, it is crucial to enhance security measures and ensure the effectiveness of fraud prevention systems. Employee training and awareness are also essential components for implementing prevention techniques. 

Given that fraudsters continuously adapt their methods, it is important to:  

• Regularly review and update fraud prevention policies and procedures to address evolving threats
• Conduct thorough internal audits to identify any gaps or exploits in existing systems and processes
• Stay informed about emerging technologies and industry standards to leverage innovative solutions for fraud prevention
• Enforce MFA for user accounts, and ensure password policies are effective and up to date
• Airlines should be monitoring for phishing websites impersonating them, compromised accounts sold in the underground and other fraudulent activities in the dark web

BlueVoyant’s Digital Risk Protection services offer impersonation and fraud detection for anything across the internet that might target any business interest, including airlines. Our dark web monitoring and brand protection services include active monitoring of the underground communities to stay ahead of fraudsters, as well as detection and unlimited takedowns for any instances of fraud that target your brand or customers.