Back in February, Digital Shadows published a blog looking at the dark web travel industry. We described how cybercriminals active on dark web forums and marketplaces have, for years, been peddling heavily discounted flight tickets and hotel rooms, selling airline-specific accounts with associated air miles, and sharing tutorials and top tips for conducting travel-related fraud.
We discovered that airline-specific customer accounts available on cybercriminal marketplaces increase in price depending on the associated frequent flyer points or air miles. Cut-price gift cards for airlines–either stolen or purchased with airline points or stolen credit cards–were also available, often at massive discounts of 30 to 50% off retail value. Third-party booking sites didn’t escape the cybercriminals’ attention either. Discussions on cybercriminal forums alleged that these sites often have poor security, which means they are perceived as being easier targets for carding or scam reservations. The travel booking tutorials we looked at described how fraudulently-acquired flights are usually booked at the last minute so that by the time the airline notices the fraud, the illicitly-boarded plane has already jetted off into the distance.
The world has changed a lot since February. With worldwide COVID-19 (aka coronavirus) lockdowns restricting travel across the globe, vacations seem like a distant memory for many of us. There has been a seemingly never-ending round of news reports covering the financial struggles the travel and hospitality industries face, with several organizations sadly closing their doors or laying off staff because of the reduced demand. This got us thinking about the cybercriminal travel agents: Is this underground industry facing the same pressures?
In our previous blog, we shone a spotlight on three particularly prolific threat actors active in the underground travel industry. They stuck out as key players in what was a crowded market. Let’s revisit them now to see how they are faring in these changed circumstances.
We found advertisements for Patriarh on several Russian-language cybercriminal forums. Their posts contained bold claims, including an offer to find deals for their customers that were 45 to 50% cheaper than Booking.com. Patriarh’s forum threads were always highly active: Patriarh posted multiple times per week–sometimes more than once a day–to promote their travel services. Their threads also contained numerous positive reviews from satisfied clients. Many of them posted photographs featuring hand-written “thank you” notes on display in a luxe hotel room or exotic location as proof of the credibility of the vacation-booking service.
However, the level of engagement on Patriarh’s formerly-active threads has dropped significantly since we last shone our spotlight on them. Patriarh’s accounts have not posted in their dedicated threads since the beginning of April 2020. Posts that Patriarh made at the start of April indicate that they fully intended to offer their services throughout the summer. One message from 03 Apr 2020 announced, “Holiday season is beginning!” and provided a list of genuine contact details for getting in touch with the service. The post warned of a record number of fake Telegram profiles purporting to represent Patriarh that had circulated the underground and cautioned potential customers to ensure they were communicating with a real Patriarh account. This post–gearing up for a full summer season of sales–suggests that COVID-19 has entirely derailed Patriarh’s plans.
In our previous blog, we also looked at another vendor active across multiple Russian-language cybercriminal forums: Serggik00. Serggik00’s advertisements offered hotel and airline bookings, car rentals, excursions, and even wedding packages. Just like Patriarh, Serggik00 flooded their dedicated threads with frequent advertising posts and updates, as well as photographs from satisfied customers displaying the Serggik00 username written on hotel-branded stationery and presented against a backdrop of a beautiful beach, luxurious hotel bathroom, or lavish aquamarine infinity pool.
Back in January 2020, Serggik00 was updating their dedicated threads with promotional material every couple of days, but they too appear to have suffered as a result of the global lockdown. Unlike Patriarh, Serggik00 has not responded to the reduced demand by falling silent. Instead, there has been a marked change in the content of their posts. Near the beginning of the pandemic, in March 2020, Serggik00’s representative on one Russian-language cybercriminal forum posted a message that seemed to indicate their awareness that the writing was on the wall. The post encouraged would-be customers to “RUN from coronavirus!”, noting, “Many routes are still available and open! We will help you!”
Towards the end of March 2020, these encouraging messages continued, with the forum representative posting, “Don’t say coronavirus!!! Get in touch with us!”. By April 2020, the alias had resorted to posting images of exotic locations–importantly, without personal messages from satisfied customers–indicating that Serggik00’s stream of new photos of thank you notes had dried up. One such post added mournfully, “We hope that the borders will open soon!”. None of these posts generated interest from other forum members.
An 08 May 2020 post offered a Serggik00 loyalty card promotion in honor of Victory Day, a Russian holiday celebrating Nazi Germany’s surrender at the end of World War II. On 09 May 2020 only, those in possession of a Serggik00 loyalty card could apply for a gift of $9 to use towards a future purchase. This scheme suggests Serggik00 is aware of the need to ensure their services remain at the forefront of potential customers’ minds so that these would-be clients turn to their service ahead of all other similar offerings when borders open up again.
Rapesec was active on multiple well-known English-language cybercriminal marketplaces, where they advertised alleged 60% discounts on flights and hotels. Rapesec’s offerings required more legwork from their clients, though: Buyers had to submit screenshots of the Expedia details of their proposed trip so that Rapesec could create a custom listing for the buyer to purchase on the marketplace. However, at the time of writing, Rapesec’s presence across the English-language scene appeared to have all but disappeared. Digital Shadows identified a profile for “rapesec” on Dark Market that referenced flights and hotel bookings. However, the vendor’s current offerings only include a counterfeit passport, with nothing available in terms of airline tickets or room reservations.
Turning away from these three prominent vendors, it seems that the shadow travel scene more broadly has demonstrably felt the impact of the COVID-19-prompted downturn. In mid-March 2020, one user on the Russian-language cybercriminal forum Verified was desperately seeking work, writing “in connection with the coronavirus pandemic, I need part-time work with daily payment, I’ve worked practically full-time on tourism since 2012 […] but since the world decided to invent a cool scam code-named ‘coronavirus’ […] I have been left without stable earnings for an indefinite period”. By 14 May 2020, the user’s tone had become more desperate: They promoted their forum post with the message “Relevant like never before!” Another Verified user posting in a different thread sounded less uneasy, opining that travel fraud “has become a little different, but it hasn’t abated completely.” They advised, “just wait until the borders open and there will be flights,” adding “tickets will be available soon.”
One user on the Russian-language cybercriminal forum Korovka disagreed with such an optimistic attitude. They posted on a thread advertising travel services to say, “Who needs hotels right now if everything is closed!?!?!? Thread starter, have you not heard anything about corona?” The vendor replied, “We are aware of corona”, and provided a clue as to how some travel vendors may be finding enough custom to stay afloat at this time of reduced demand. They added: “many people need hotels even now, for example tourists who are stuck abroad [and] also those who are tired of sitting at home and want to hang out in a hotel with a lover for a day in the city.” A similar story could be seen on the Russian- and English-language forum Club2CRD: One user, commenting on the discounts offered in an advertisement for worldwide airline tickets, queried, “who is flying at the moment? 70% for booking ticket? lol”.
This mixed bag of opinions broadly reflects what Digital Shadows found when we surveyed the dark web travel scene to discover the impact that COVID-19 has had. In general, there appear to be far fewer advertisements for such services this time around: For example, there were three times the number of travel-related search results returned on Verified forum in February 2020 compared to May 2020. Vendors engaged in this industry seem to be taking one of three approaches:
- Staying silent and not bothering to post new advertisements for travel services
This seems to be the approach that Patriarh and Rapesec are taking, and Digital Shadows found countless other examples of previously-prolific vendors who have fallen quiet during this period.
- Promoting alternative aspects of the travel industry
One travel vendor on Club2CRD, for example, posted to reiterate to their customer base that “We reserve hotels in practically every town in Russia” and “every CIS country.” This approach appears to be a reminder to buyers that while international travel is out of the question for many, it may still be possible to travel within your own country, depending on local restrictions.
- Carrying on as if nothing has happened
Although the number of travel-related advertisements on cybercriminal forums and marketplaces appears to have fallen drastically, this content has not dried up completely. Advertisements from vendors valiantly battling on can still be seen and–judging by the forum posts we discussed above–there may still be enough niche demand to provide custom for these vendors during this time.
We also discovered evidence of first-time posters making their first forays into the fraudulent travel sector. While it may seem a strange time to be starting in this industry, it is plausible that newbie posters are taking advantage of the relative quiet to make their name known in the hope that when the travel industry restarts, potential customers will remember advertisements they saw during the lockdown. User “togot4”, for example, created their very first threads offering booking services in May 2020.
There is already evidence that cybercriminals are looking ahead to a time beyond COVID-19 when borders reopen and travel becomes common once again. In mid-June 2020, one user on Club2CRD posted seeking “pro ticket maker to work after Covid-19”. Another vendor had decided that the world was already beginning to open up again, posting “after the disaster of COVID-19, I am back and ready to start business again, including flights and hotels”.
Still another user, having not posted anything since February 2020, advertised airline-specific customer accounts again in May 2020. This vendor appears to have decided that the time is right to start trading again. It’s worth noting, though, that one of the airlines for which the threat actor was offering customer accounts had fallen into administration by the time the post was published, indicating that the vendor may not be so up to date with what is “available” in this changed landscape.
As travel bans are gradually being lifted and “air bridges” introduced, especially across Europe, it will be interesting to see how quickly other travel vendors react and resume their advertisements for fraudulent airline tickets, hotel rooms, and the like. Just as interesting will be seeing how many of the previously well-established travel vendors will have been able to weather the storm, and how fast their trade will pick up again. Digital Shadows will be on the lookout for more handwritten notes from happy travelers indicating that the shadow travel industry has picked up where it left off.