Loyalty programs have grown tremendously in the last decade. Memberships rose to 3.8 billion members recently , with a total value of USD$323 billion for the ecosystem. Loyalty program fraud has significantly increased as well, increasing by 89% in the first quarter of 2019 alone.
We previously explored how loyalty program fraud happens. To better understand loyalty program fraud in Canada, we reviewed thousands of advertisements for fraud services on all the major darkweb marketplaces. We identified those that targeted specifically Canadian loyalty programs. We then contacted over 10 sellers to better understand what services they offered and who the sellers were.
This blog post is a result of our investigation and identifies 5 trends in loyalty program fraud in Canada. It also offers solutions to this growing problem.
1. One malicious actor dominates the market for loyalty program fraud
Of the dozen different malicious actors active in loyalty program fraud, one dominates the market with 58% of all listings. This malicious actor is a jack-of-all-trades that does not specialize in any one brand.
The malicious actor is very popular, with over 2,500 positive reviews. The sheer number of products offered by this actor, beyond just loyalty programs, suggests that they are not one individual. They are likely several malicious actors working together to run a shop. Their volume of products allows the malicious actor to offer some of the lowest prices on the darkweb. A conversation with another malicious actor confirms this price competitive advantage.
[FLARE]: got any account for (censored) over 50,000 points?
[FLARE]: I have seen 100,000 points for 64$ before.
[MALICIOUS ACTOR]: Ive never seen this much points.
[MALICIOUS ACTOR]:
I dont have these prices sorry man.
[MALICIOUS ACTOR]: bro i’m so high I have 43,500 points for $87.
This centralization of fraud makes it easier for companies to monitor and keep track of loyalty program frauds. Indeed, monitoring just one malicious actor provides intelligence on much of the fraudulent activities.
2. Malicious actors do not specialize in the fraud of a single loyalty program
Malicious actors appear to be opportunistic rather than targeted when they steal loyalty program credentials. Indeed, malicious actors advertise the sale of credentials for a wide array of companies.
The main source of stolen credentials appears to be phishing. Two malicious actors explained to us that phishing was their main method to steal credentials they put up for sale. Listings advertise phishing pages that collect a victim’s usernames and passwords and their financial information, including their PIN. They are for sale for around $40. The malicious actors claim to have a very high, if not full, conversion rate of visitors of their phishing pages.
These listings showcase how loyalty program fraud ties to other illicit activities such as credit card theft. Indeed, while the phishing pages collect credentials, they also ask for the financial information of the victims. This shows that attackers are looking to victimize each of their targets in multiple ways to maximize their profits.
We cannot at this point, however, eliminate the possibility that malicious actors use other techniques to fraud loyalty programs. These include leaked credentials and botnets.
3. Three industries appear to be more targeted than others
Listings for air travel loyalty program frauds add up to 28% of all listings. The main targets are general air travel loyalty programs but loyalty programs affiliated with a single airline were also targeted.
Malicious actors also frequently target the hospitality industry (ex. hotels, restaurants), representing about 20% of all loyalty program fraud listings. Malicious actors appear to be targeting one hotel chain and one pizza chain in particular. The points for sale are enough to get a free stay at the hotel chain or a free pizza.
Grocery chains and pharmacies account for 20% of loyalty program frauds. The dominating seller controls 70% of this market, with a handful of smaller competitors. Malicious actors target both privately held and public chains.
Companies that are part of the above industries should make sure that they have a monitoring of loyalty program fraud in place. This will limit the impact of these frauds both on their operations and on their brand image.
4. Credentials are the main currency in loyalty program frauds, but financial information are also important
Malicious actors offer in most loyalty program fraud listings are sold in the form of account credentials. Some malicious actors offer a guarantee, offering to check if the account credentials and point counts are still valid before sending the credentials to the buyer.
Malicious actors sell loyalty program accounts for their points, but also for the credit card information they store. Malicious actors use the accounts to steal the information. They also use it on the website to make new purchases, such as purchasing points.
5. Loyalty program fraud is mostly a Canadian problem
The most active malicious actor for loyalty program frauds in Canada is also active on Empire, the largest international darkweb marketplace. There does not seem, however, to be a strong Canadian presence internationally. Only one other Canadian malicious actor is active on international platforms.
The listings of these Canadian malicious actors appear to target one company in particular, a gas station chain. Their other targets are mostly subsidiaries of large American brands with divisions in Canada.
Most listings on international platforms targeting Canadian loyalty programs are a few months old. This suggests that a low level of fraud should be expected from international fraudsters. These fraudsters may not actively target Canadian companies.
Conclusion
This blog post investigated the loyalty program fraud through malicious actors active on darkweb illicit markets and chat rooms. Our upcoming research will continue this investigation using data collected from other sources such as account shops. As shown in the image below, account shops provide little information about the malicious actors. They do indicate the name of the loyalty programs that are targeted by them as well as the price of the accounts that have been taken over by malicious actors.
These 5 trends lead us to recommend 3 solutions to Canadian companies operating a loyalty program.
First, companies should seek to collect as much actionable intelligence as possible on the activities and targets of malicious actors. One important vector for this is the screenshots of taken over accounts such as the one below. Screenshots are openly shared on platforms like Telegram and ICQ to prove that malicious actors have indeed successfully taken over accounts of specific loyalty programs. The screenshots contain names, points balance as well as dates that help track where malicious actors are logging in from, and which accounts they are targeting.
Second, companies should detect password reuse among their customers’ accounts. We explained in a previous blog post how malicious actors test known usernames and passwords to identify vulnerable accounts. Services that collect leaked usernames and passwords can help detect password reuse and force password resets.
Finally, companies should seek to educate their customers, employees and partners about the risks of phishing attacks. This includes not providing information on a website unless its authenticity has been fully verified and enabling 2 factor authentication (2FA). Malicious actors mention in their profiles that they are not responsible for selling accounts that have 2FA as it vastly increases the difficulty of taking over an account.
I am not responsible for extra security issue such as 2FA, answering questions, SMS Verification for all accounts without exception.
By applying these solutions, companies can decrease the attractiveness of their loyalty programs to malicious actors and prevent fraud as well as brand damage.
