HitB2018Ams — Ticket to Ride: Abusing The Travel and Hospitality Industry for Profit

Presented by Vladimir Kroptov research also by Fyodor Yarachkin, Mayra Fuentes and Lion Gu

Frank Breedijk
4 min readApr 12, 2018


Underground travel agencies offer travel tickets for highly reduced rates. SOmetimes a business class ticket goes for 25% of the regular coach rate.

Everything you need is available on the underground market place, often at 35% discount or more. Flights, hotels, rental cars, uber rides and even all in one vacations.

But, it’s not just limited to regular travel needs. Travel documents and residency permits are also sold online. But also the ability to block entry into Russia for 3–8 years for about €850 users.

Guided tours, CIP status and food is also offered. Food often via gift cards where you pay mere cents on the dollar.

A lot of the communication works via Telegram. The underground seems to be moving from IRC to Telegram, because of it’s security features.

Loyalty points are sold online as well and can then be changed to flights in real life.

In order to get goods to the “customer” there is also an anonymous postal service. A lot of these market places are really porfessional organized and offer multiple payment options.

There are happy reviews on the the underground forums. But also stories of travellers who got stuck or were not able to board their plane or enter their hotel.

Where there are criminals, there are also criminal trying to steal from the “customers” of them. There is enough evidence that crime is a problem in the underground scene.

So, how can hackers provide these services?

Russia agency are more like a real full service travel agency, the English speaking market is selling building blocks, but doesn’t offer a full service.

Ofthen these items are purchased using stolen credit cards, abusing loyalty program and by breaking into physical travel agencies. Another practise is printing fake tickets and “returning” then for real money.

Sometimes people abuse airline business processes.

But travellers are victims too. There are hackled YanDex apps out there that allow a driver to pick up passengers even before he arrives at the passenger because the app allows GPS spoofing.

The underground travel business in Russia is now offering manuals to use a VPN service to still allow Telegram since the Russian government is proposing to block the use of Telegram in that country.

Corporate rate discount codes are also offered online. Sometimes hotels ask for a corporate ID, but these can also be bought online.

So what can victims to about this?

  • Use anti-fraud systems
  • Block bookings done via VPN services, ToR nodes and strange locations
  • Do a retrospective on every fraud discovered

So waht can you do as a traveler:

  • Check loyalty points often
  • Loyalty points are money
  • Use good passwords

About the speaker and researchers

Vladimir Kropotov is a researcher with Trend Micro FTR team. Active for over 15 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a masters degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations. Vladimir regularly appears at high-profile international conferences such as FIRST, CARO, HITB, Hack.lu, PHDays, ZeroNights, POC, Hitcon, BHEU and many others

Fyodor is a researcher at Trend Micro, incident investigation volunteer at Academia Sinica and a Ph.D. candidate at EE, National Taiwan University. An early Snort developer, and open source evangelist as well as a “happy” programmer. Prior to that, Fyodor professional experience includes over eight years as an information security analyst responding to network, security breaches and conducting remote network security assessments and network intrusion tests for the majority of regional banking, finance, semiconductor and telecommunication organizations. Fyodor is an active member of local security community and has spoken at a number of conferences regionally and globally.

Ms. Fuentes is a Senior Threat Researcher for Trend Micro’s Micro’s Forward-Looking Threat Research (FTR) Team. She has worked in the cyber threat field with 10 years’ experience as a government contractor and a government civilian for the Department of Defense and private sector. Her current research interest includes healthcare, cybercrime and underground markets.

Lion Gu is a senior threat researcher at Trend Micro, Inc. He has been a security professional for over 13 years. His research covers various fields, including malware analysis, mobile security, and underground cybercriminal economy. He has spoken at several conferences like RuxCon, AVAR, BlachHat Asia, and BlackHat Europe.

This article is part of my coverage of the Hack in the Box security conference 2018 Amsterdam. This article is my recording of the talk as it was given at the conferences. Therefore any opinions expressed are not mine, but those of the speakers.



Frank Breedijk