August 18, 2022by Adi Bleih

Vacation Scams on the Dark Net


This summer, the sky is open without almost no flight restrictions for the first time since the beginning of the covid-19 pandemic. Tourism levels are reaching pre-pandemic levels, and even passing them in some countries. While your friends and family taking some days off somewhere, threat actors are working harder to harm your wallet and ruin your vacation time. Due to the high demand for flights and hotel bookings, threat actors are taking advantage of scamming actions against legit customers by using different techniques. As a result of that, financial damage is caused to all sides involved in the deal, the hotel, the airline vendor, the bank, and the customer.

A win for one and a loss for all.

On the deep and dark web, we can find different services and tutorials offered. From selling stolen credit cards, compromised accounts from booking sites, refunds methods, carding, phishing pages, smishing services, and more.

Let’s dive in and view some examples.


In addition to trying to steal financial information, such as credit cards, bank statements, logs, etc. threat actors are trying to get hold of hard-earned frequent flier miles and hotel points of experienced travelers. They may use them for personal booking or selling them on different markets.

In the example below, the threat actor offers access to a compromise Yahoo email address, which includes access to a account that had recently been used to book a hotel.

Figure 1: Compromised account with booked hotel offered for sale

In this example, a threat actor is selling flight confirmations from Ryanair. According to him, he will provide the buyer with active accounts with booked orders, powered with mail access only. He also mentions that only a password reset is needed for taking over the account fully. The asked price stands for 3.5$.

Figure 2: Flight confirmation file for sale

Tutorials and methods offered

In addition to selling “prepared products” for direct use such as compromised accounts, phishing pages, and financial information, threat actors offer to sell their scamming methods. These guides and tutorials are often used by beginners and actors that are on their first steps in the scamming/fraud world. Within the process, the actors are getting all tools needed, knowledge, and guidance on each step.

Different scam operations depend on various resources for their future successful results, such as credit cards, account access, email addresses, and others. Not all services given on the dark web are providing them, and sometimes the user needs to get them from other resources.

As we can see in the example below, a threat actor is offering to provide a complete guide and tools for booking flight and hotels at discounted prices, with an initial investment of only $30. As a bonus, he throws in an offer for buyers to book flights and hotels valuing $2,500 with the same method.

Figure 3: Carding methods offered for 450 Euros

In the second example in this section, a product is offered on an underground market, which contains a full guide with methods and descriptions for free traveling. The method is called – the household method. for this operation, the user needed at least 1 British airways account with Avios points in order to successfully perform the household method.

Figure 4: Guide for free travel methods

Services offered

Besides selling methods and guides, threat actors offer their personal scamming services. This type of service is more often bought by less experienced actors, or on the other hand by actors who don’t want to waste time on low rate scams. In this example, a service provider offers his work, guaranteeing a 55% discount from the total price on each deal, in Europe, the USA, and Canada. Here, the buyer doesn’t need to perform any actions, except the reservation itself, uploading it to the mentioned domain –, and later sending the link/screenshot for getting the discount.

Figure 5: Personal carding service for travel agencies and private


Phishing is also a type of service, but the subject value is higher than others we saw and potentially harms an organization and customers at much higher levels.

In the example below, we see an active phishing page that is used to steal information from the users who entered their personal information for receiving the “Thailand pass” to enter the country. Threat actors taking advantage of the pandemic restrictions to enter different countries, which are more relevant at this time of the year, when the tourism season is at its highest stakes.

Figure 6: Built phishing page for Thailand's future travelers

In the second example, within a telegram group, a threat actor offers to build phishing pages on different topics, such as flight reservation sites or hotel bookings. The actor attached proofs for his past work, as asks to communicate with him on WhatsApp or telegram only.

Figure 7: Phishing page template offered for sale on the deep web


While many people around the world are looking for a location to spend their upcoming summer vacation, threat actors are looking to steal money and personal information from the future and made reservations. Flight tickets and hotel reservations are the main trends that motivate and direct them to perform scams and frauds. Threat actors use different methods to perform those types of attacks, such as compromising accounts, using refunds and carding, phishing pages, and other techniques.

From the beginning of 2022, focusing on the June-August months, thousands of people around the world were a part of scamming attacks that caused financial loss and vacation cancelations. When and booking your next hotel, check the vendor and the site you order from, and enjoy your safe vacation!

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more