The unofficial start to summer has arrived. Tens of millions of people traveled over Memorial Day weekend, and airport crowds set new records last weekend. Vacation season is here.

Overall, Americans don’t appear to be cutting their vacation plans, despite the pace of inflation. Google revealed “cheap summer vacations” is one of its most popular travel search trends. There are lots of ways for travelers to find ideas to travel for less. Many of these ideas involve making compromises on location or accommodations.

But I have high expectations for my vacation. I want to go to Aruba this summer and stay at a four-star resort. So, I challenged myself to find another way to have the vacation of my dreams – while still managing to save money.

An image of Aruba's sandy beach with clear turquoise water, bordered by rocky outcrops and lush green trees under a partly cloudy sky. Palm trees are visible in the distance.

Which brings me to credential stuffing. It is an automated way to test many valid login and password combinations in hopes of getting into someone else’s account. And since the reuse of passwords across websites is so common, this often succeeds – and most people have no idea just how rampant the practice is. But working at Kasada, I see external evidence of fraud daily that’s caused by credential stuffing and/or info-stealing malware. The travel industry is especially vulnerable to account fraud given the value contained within accounts – where customer accounts are either stolen or fake accounts are created at scale, and then monetized such as selling the account or transferring the reward points within.

I challenged myself to use my first-hand knowledge of bot-driven account fraud to find myself a deeply discounted vacation to the Caribbean for some fun in the sun. After all…there are some great deals out there if you know where to look.

Airfare

I did a bit of research to identify which airlines and specific flights could be purchased using loyalty points within the next few months. I’ll need to obtain access to about 28k points in order to redeem a flight. Without points, roundtrip flights from the Northeastern US to Aruba would have cost me $420 during the month of July.

Kasada’s Q1 Quarterly Threat Report states that the average value of a frequent flier point, as determined by the cost of accounts being sold on criminal marketplaces, ranges from $0.0003 to $0.001, depending on the airline and the total points available to the account holder. So it’s not going to cost me very much.

After a bit of searching, I found myself an account to purchase the 28k flier points for $22.40. I felt pretty good about purchasing one of these given the average review of 4.98/5, with availability in quantities of up to 100.

Screenshot of a product page with details including price, stock, and options to share, promote, or buy now. Ratings from Trustpilot are visible, and a quick view option is available.

Accommodations

Next, I need a place to stay. I was a bit torn about whether I wanted to stay at a hotel or a by-owner rental. I decided on a hotel.

To recharge myself, I’m planning to stay for 7 nights and need a minimum of 400,000 points to stay in a higher category of hotel that would cost about $450 per night – because I deserve luxury and like oceanside views. Who doesn’t, right? This will cost me $70 for an account guaranteed to contain anywhere from 400k-500k points. The seller has 1,143 positive reviews and only one negative. I might even have a few extra points left over to upgrade myself to the spa package.

Screenshot of an online marketplace item listing showing various color-coded buttons, ratings, and trust scores. Price is 70.00 USD with a stock of 28 items. Multiple payment options are available.

The seller advises me to login with wifi OFF and have a good IP address – and then to replace the original account owner’s credit card info with my own, to ensure there’s enough funds to cover my security deposit (I will not be charged). I’m also advised to change the email in guest information to receive the confirmation email. Finally, after booking the room, I’m told to contact the hotel chain by phone and ask them if they can rebook in another name by telling them something like, “I am trying to book a room for my nephew with my rewards points, but I couldn’t add him as a guest.”

Instructions on how to exploit hotel reward points to book a room, which include replacing guest information, deceiving hotel staff, and manipulating the booking process.

Transportation

I’ll need a rental car for the week. It’s important that I can make my way around the island to check out the sights and beautiful beaches. There’s a lot to see and I don’t want to miss a thing. A stolen account loaded with 10,000 points is more than enough to get me a convertible for the week – for a cost of only $12.

A product dashboard displays product image placeholders, ratings, trust score, sync timing, multiple action buttons, price, and stock availability.

Dining & Souvenirs

While I could certainly purchase additional hotel points to pay for dining within my hotel, I like to explore and try the local restaurants. Variety is the spice of life. So to do this, I’ve stocked up on a widely accepted debit card for fine dining establishments of my choosing. I can score myself access to a $4,000 prepaid debit card for $43.33.

This card is guaranteed to provide card details with at least $4,000 in the balance. A fully detailed guide for using and withdrawing the balance safely is included. As is an OTP Bot for 1 week where presumably the original owner had been tricked into giving up their 2FA code. I can alternatively withdraw the funds into my own personal crypto wallet and then into my own bank account. Funny enough, it is recommended that I use no more than 5 cards per week just like the seller, for security reasons. But I’ll stick with just one, as it covers my dining and also to splurge on a new watch.

Screenshot of a website showing a gold card with options to buy a prepaid debit card loaded with $4000. The screen displays stock information and a purchase price of 43.33 USD.

Text description of guidelines for using and withdrawing a balance, including a Q&A section about wallet withdrawals, card usage limits, and refund/replacement policy.

A review shows a five-star rating with the text, "Binance account worked and I asked him to move the balance for me and he did it, excellent service I will buy again." The image background is green.

Oh, what great service!

Social Media 

Aside from LinkedIn, I’m not active on social media. So to share my vacation and ensure my inevitable epic wakeboarding wipe-out goes viral, I’ve splurged on a social media account with 1,000 high quality followers. The account for $4 is guaranteed to work for a month. None of that silly stuff where Elon is forcing new users to wait for months before being able to post – not necessary.

Screenshot of a web page listing a service offering 1,000 high-quality followers for $4.00 USD, available via PayPal, Stripe, Coinbase, or Cash App. Various stats and options are shown, including reviews and stock status.

Why pay retail? 

I “booked” my week-long trip to Aruba for a total of $151.73 thanks to the abundance of stolen accounts available for sale on third-party marketplaces. I didn’t have to compromise on desired location or accommodations, and I owe it much to our favorite oldie but goodie automated attack – credential stuffing!

Table comparing the stolen account cost and estimated retail price of various travel-related items, showing a total saving of $8,318.27 with stolen accounts.

Summary 

I’ll fess up. I didn’t actually purchase any of these stolen accounts. I’ll be joining the ranks of those looking for legitimate summer travel discounts that aren’t fraudulent. But given the stock of accounts and volume of confirmed purchases on secondary marketplaces, other people certainly do purchase these stolen accounts. A lot of them.

One can try to place the blame on the consumer for reusing credentials or not activating two-factor authentication if it’s an option. But the blame can also be cast on ineffective anti-bot defenses that are still used and unable to detect the automated abuse of their customer’s account logins using tools such as OpenBullet. Times have changed, and the external evidence of account fraud is proof that the old way of stopping bots has run its course. There’s a whole underground market that exists to “solve” first-generation anti-bot defenses for less than a penny per solve so anyone looking to bypass them can without much skill.

The impact on travel and hospitality businesses is exorbitant infrastructure and fraud costs, combined with irreparable brand damage every time a customer’s account is breached. There are real people losing their accounts and hard earned points, and while the companies often pay up for this fraud, sometimes the damage is irreparable due to loss of trust.

KasadaIQ for Fraud provides external evidence of fraud for leading travel and hospitality brands. Request a free snapshot if you want to know whether your business has accounts up for sale and how many have been monetized based on the thousands of non-traditional sources we monitor.

Want to learn more?

  • Kasada’s Reflections on the Q3 2024 Forrester Wave™ – Bot Management Evaluation

    Kasada named a Strong Performer. Here are some of our own reflections having taken part in this evaluation.

  • Exposing the Credential Stuffing Ecosystem

    Through our infiltration of the credential stuffing ecosystem, we reveal how various individuals collaborate to execute attacks and expose vulnerabilities for profit.

Beat the bots without bothering your customers — see how.