Air miles may seem like an unusual thing to purchase in the Dark Web, but business is booming.
Frequent flyer miles can be used for free travel, access to exclusive airport lounges, and free or heavily discounted upgrades to business and first class on flights.
While you usually earn these points by purchasing services with an airline, cyberattackers are taking advantage of lax policies when it comes to use and exchange to turn a profit on stolen points.
According to Paul Bischoff, privacy advocate at Comparitech.com, air miles are easily available online which are issued by airlines including Delta, British Airways, Emirates, and Alaska Air, among others.
After investigating Dark Web marketplaces including Dream Market, Olympus, and the Berlusconi Market, Bischoff found that sellers are flogging hundreds of thousands of frequent flier points for a fraction of the cost legitimate buyers expect to pay.
In a blog post on Wednesday, the security researcher said that cybercriminals are touting their wares for as little as $31 for a batch of stolen air miles.
Air miles can be stolen through outright customer account hijacking or exploiting weaknesses in airline systems to transfer or award points. Once air miles have been secured, these may then be redeemed immediately and the rewards sold on or they may be "cleaned" by transferring the miles into another, legitimate account.
In total, 100,000 BA air miles were found for sale at the price of €124 ($144); 45,000 Delta SkyMiles could be bought for $101; 100,000 Emirates Skywards points could be purchased for $520, and $884 would buy you 100,000 Virgin Atlantic Flying Club points.
On offer for the cheapest rate was a pack of Delta miles for $31; and oddly enough, a pack of 200,000 BA points was also apparently on offer for $45.
"Prices are not consistent across vendors and seem to be based more on the vendor's preference than supply and demand," Bischoff says.
The air miles are offered for purchase in cryptocurrency, including Bitcoin (BTC) and Monero (XMR), which is often used in Dark Web marketplaces in order to anonymize transactions (at least, to a point).
In one example, it was a single seller that was offering over a dozen different airline air mile packages, which suggests that this vendor may have insider knowledge or a tool or two able to compromise frequent flier systems used by various carriers.
Delta SkyMiles and British Airways were the most common listings.
"The real-world value of frequent flyer miles varies widely depending on the rewards program and what you spend them on," the researcher noted. "Airline points are typically worth between one and two cents each. So if we assume 100,000 miles (valued at $0.015 each) are worth $1,500, you can see the Dark Net prices come in at a fraction of the cost."
Despite how cheap they are, buying and using stolen air miles comes with risk.
They cannot be used in the traditional sense such as on airfare or hotel bookings -- as IDs are required -- but due to lax security practices, they still can be redeemed by way of gift cards, and purchases made at local retailers which have partnership deals with carriers.
"Due to the lack of verification, frequent flyer miles have become a profitable target for hackers and thieves," Bischoff says. "And because most of us don't use or check our frequent flyer accounts very often, the theft can go unnoticed for months."
However, if you are caught using stolen air miles, not only may all of your frequent flier points be confiscated, but some airlines may go as far as canceling all of your bookings as you are breaking terms of service.
Carriers may have a constant problem with the illegal sale, trade, and theft of frequent flier points, but these companies are also using air miles as a reward for security researchers able to help them prevent such occurrences in the first place.
United Airlines, for example, has launched a bug bounty program which rewards vulnerability reports with air miles. One Dutch hacker, a 19-year-old, has earned hundreds of thousands of air miles by reporting flaws in the airline's systems.
In order to prevent your own frequent flier account from being hijacked by criminals looking to turn a quick profit, you should use strong passwords which are not repeated elsewhere, and consider checking it occasionally so you can report any issues quickly to your carrier.
"It's important to remember that common sense cybersecurity practices should apply to all your online accounts, not just your frequent flyer account," the researcher added.