Business travel ground to a halt at the onset of the COVID-19 pandemic with meetings, summits, conferences, and other events moving online. As vaccinations roll out in 2021, international travel will likely resume with destination countries imposing new requirements for visitors such as proof of COVID-19 vaccinations, use of track-and-trace apps, and quarantining upon arrival. Threat actors will likely exploit the confusion surrounding travel arrangement requirements to target business travelers and the travel industry—especially airlines and hotels. This blog looks at new and existing challenges to business travel and strategies to mitigate them.

Challenges to business travel imposed by COVID-19

 

Black market for fake vaccination records and negative tests

Since the start of 2021, multiple messaging channels, clearnet, and dark web markets have advertised false COVID-19 vaccination records. In the United States, blank Center for Disease Control and Prevention (CDC) “COVID-19 Vaccination Record” cards are selling for between US$15 and US$60 per card.

Threat actor selling forged vaccination cards on Telegram

As of May 2021, demand for these cards continues to grow - with many people stating they will refuse the vaccine and many more who are awaiting their turn - this market is expected to flourish in the short term. For the same reasons, there is a market for forged negative COVID-19 test results that many countries require for travel, and for entering events with crowds such as conferences and seminars. Europol has issued a warning of fraudulent COVID-19 test certificates being sold to travelers in France, Spain, and the United Kingdom. Accenture’s Cyber Threat Intelligence (ACTI) searched across hundreds of dark web and clearnet sites and found many instances of people actively seeking out fake negative test results in order to leave their country, especially on English-speaking forums. This demand would serve to encourage entrepreneurial threat actors to enter this market, increasing competition and therefore the quality of forged documents.

Track-and-trace app privacy concerns

Many governments have or will have their own technology to track-and-trace post-lockdown international travel. The Malwarebytes State of Malware Report addresses how governments plan for contact-tracing and the corresponding privacy concerns surrounding how personal data is processed, stored, and used. They cite several examples of how data has been misused by governments of several different countries in a variety of ways.

Malicious and unsecure mobile applications

Threat actors are aware of the rush to implement new technology and the pressure on travelers to use it. Since the beginning of the outbreak, threat actors have been using COVID-19 themes in their operations to lure users to deploy spyware, banking Trojans, and adware to mobile devices.

In March 2020, ACTI identified an Android screen locker with the name “Coronavirus Tracker” from a fake “coronavirusapp” website. Upon installing and opening the Android Package Kit (APK) file named Coronavirus_Tracker.apk, the malware locks the user's phone screen, changes the user's unlock screen password, and demands a US$100 ransom.

<<< Start >>>

Fake Coronavirus tracker website resulting in locked screen

<<< End >>>

Examples of unsecure COVID-19 applications that have caused data leaks or theft include a February 2021 report from TechCrunch on large volumes of immigration documents and COVID-19 test results left exposed on the Internet belonging to travelers to Jamaica. The Jamaican government uses its JamCOVID19 website and app to publish COVID-19 data and approve travel applications required to visit the country. In January 2021, Reuters reported on personal data being stolen from the Netherlands’ COVID-19 track-and-trace program. ACTI assess this type of data as highly valuable to bad actors specializing in forging travel documents, and in phishing campaigns.

Increased supply and demand for traveler data

The underground market for compromised traveler data—particularly payment card data, frequent flyer miles, hotel points, and compromised credentials for any travel-related account—will flourish as the travel industry recovers. Threat actors are interested in business travelers who accumulate high volumes of frequent flyer miles as they have access to greater perks and higher credit limits. The dark web is already awash with compromised data from high profile breaches of airlines and hotel chains which have occurred over the past few years. On 4 March 2021, airline IT and telecommunications service provider SITA reported that a 24 February 2021 cyber attack affected its passenger service system servers. Although SITA did not disclose the impacted airline carriers, the news media reported the incident affected 2.1 million frequent flyer and loyalty members of multiple major airlines.

Some attacks on travel companies do not make the news. ACTI have observed a threat actor advertising network access to airlines in Kuwait, Wales, and Thailand, and another advertising domain admin access to a hotel company with annual revenue of up to US$300 million and an airline company with revenue of up to US$3 billion. There are several other examples of individual advertisements of sales of network access to hotels, or of databases containing passenger information.

The thriving dark web market for traveler data has led to “trip-booking services” where criminals book trips for travelers using compromised credit card data, air miles, hotel points, and more. Although demand for these services suffered with the pandemic's travel bans and lockdowns, ACTI estimates interest in the Dark Web travel market will resume as people return to scheduling holiday travel but seek heavy discounts given the struggling global economy and reduced incomes.

Targeting of company executives

Threat actors have long been targeting company CEOs and other executives to steal company data, proprietary information, or secrets they can use to extort these high profile individuals. Advanced espionage DarkHotel actors, who ACTI tracks as SNIPEFISH, have consistently been targeting VIPs since at least 2007. The group exploits high-end hotel and business Wi-Fi networks and uses zero-day vulnerabilities to spy on its targets. In January 2021, ZDNet reported that a hacking group had been targeting the airline industry for several years to steal passenger information and track the movements of persons of interest. The article lists several other examples of suspected state-sponsored hacking groups targeting airlines, hotel chains, and telecommunications companies to track persons of interest.

VIPs will likely continue to be attractive targets after the pandemic and should exercise extreme caution when resuming business travel particularly given the rise of spyware and stalkerware apps beginning in early 2020; actors use these apps to harvest data from devices belonging to their targets.

Conclusion

There are currently a number of different projects underway with the aim of confirming traveler “proof of status” – these hope to combine secure methods of storing digital health credentials to prove either a negative test or vaccine confirmation to allow travel. This huge undertaking relies on cooperation and data from many organizations and integrated technologies. In the meantime, threat actors of all skill levels are aware of and exploiting the travel industry's state of turmoil and the range of potentially lucrative data that business travelers hold, starting with sensitive company data down to frequent flyer miles. With the rush to return to travel, threat actors are prepared to exploit the shortcuts some might take to attend an international event or meeting. Organizations should employ a robust approach to resuming travel and implement a matrix of tick-boxes and risk assessments to safeguard their staff, data, and networks.

Mitigation

To help mitigate threats to business travel, ACTI suggests:

  • Using dark web threat intelligence to remain ahead of data breaches and monitor for compromised user credentials that actors can use in spear-phishing attempts or for account takeovers.
  • Advising staff against posting screenshots of COVID-19 test results or vaccine cards containing personal data which could be harvested by criminals for use in forgeries.
  • Complying with items on a pre-travel checklist including required official documentation, COVID-19 test results, and vaccine confirmations.
  • Conducting risk assessments on travel requirements of the destination country, particularly surrounding data privacy concerns of required track-and-trace apps.
  • Remaining informed on COVID-19 precautions as well as testing and quarantine requirements from official government and tourism board websites.
  • Carrying only essential corporate devices on travel and ensuring accounts and devices are secured with multi-factor authentication, where possible.
  • Educating staff on staying secure when traveling by not connecting to open Wi-Fi networks without a secure VPN, using privacy screens in public places, running regular antivirus scans, avoiding the use of unfamiliar USBs and chargers, and ensuring all software and operating systems are up to date.

Our ACTI team provides actionable and relevant threat intelligence to support decision makers. The intelligence analysis and assessments in this report are grounded in verified facts; more information on this activity is available to subscription customers on ACTI IntelGraph. IntelGraph is a proprietary next generation security intelligence platform that allows users to search, visualize, and contextualize the relationships between malicious actors, their tools and the vulnerabilities they exploit.

Paul Mansfield is a senior analyst in Accenture CTI Reconnaissance Team, which produces actionable intelligence and tracking threat actors operating in both open and closed communities.

 

 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes reference to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.

Copyright © 2021 Accenture. All rights reserved.

Paul Mansfield

Cyber Threat Intelligence Analyst

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog
Subscribe