The hospitality, travel, and retail industries, which have been hit particularly hard by the COVID-19 pandemic, have also been increasingly targeted by cybercriminals seeking to profit from the dire situation, a report has found.

“During the lockdowns in Q1 2020, criminals circulated dozens of password combination lists, and targeted each of the commerce industries. It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to an uptick in sales related to loyalty programs,” reads the Loyalty for Sale – Retail and Hospitality Fraud report by content delivery network (CDN) provider Akamai.

These developments contributed to the total tally of more than 100 billion credential-stuffing attacks that Akamai detected between July 2018 and July 2020. No fewer than 63 billion of them targeted the retail, travel, and hospitality sectors. The British health and beauty products retailer Boots is just one notable victim.

Credential stuffing is an automated account-takeover attack during which bad actors leverage bots to hammer websites with login attempts, using stolen or leaked access credentials. Once they stumble upon the right combination of “old” credentials and a new website, they can proceed to exploit the victims' personal data.

Customer loyalty programs prove to be a juicy target for hackers, since the accounts aren’t perceived as high risk by their holders, who may put more effort into locking down their email or social media accounts. Such laxity could take the form of password recycling or other common password mistakes people tend to make.

However, the perception of loyalty programs not being high risk isn’t strictly true. “These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft,” reads the report.

RELATED READING: Simple steps to protect yourself against identity theft

The report also outlines a number of examples of how compromised loyalty card accounts could be abused. Hotel reward points, for one, are considered a hot commodity, since these can be used to book free stays, upgrade to better rooms, or used to access various activities. Depending on the number of accumulated points and the hotel chain, loyalty accounts can be sold on cybercrime forums for as much as US$850.

Some cybercriminals venture even further and operate their own dark-web “travel agencies”, using a combination of stolen credit cards and airline and hotel loyalty programs. “Many of the travel listings on the darknet charge a percentage of the overall trip cost, anywhere from 25% to 35% — meaning a US$2,000 booking on a well-known travel comparison/booking website would cost about US$700 on the darknet,” the report said.

Beyond credential-stuffing attacks, threat actors also used SQL Injection and Local File Inclusion attacks to target the retail, hospitality, and travel industries. Akamai recorded almost 4.4 billion web attacks targeting these sectors, which accounted for 41% of overall attacks against all industries. Cybercriminals also deployed Distributed Denial-of-Service (DDoS) attacks, with an average of 125 attacks targeting the commerce industry each week between July 2019 and July 2020.