Cybercriminals Phish Their Way Into Customer Loyalty Programs

Scenario: A financial corporation’s customer service center is inundated with calls in a short period regarding customers receiving notifications that their email address and password had been changed. The customers insist they were not the ones to update their profiles, and upon checking the accounts, the service specialists determine the customers’ rewards balances have been depleted.

An emergency response services (ERS) team is called in to investigate, and they find that, fortunately, the integrity of the server was not compromised. Account credential misuse, however, is confirmed — mostly likely due to cybercriminals who compromised accounts with large loyalty card balances and sold them on the Dark Web. The ERS team found that the Web application allowed attackers to access account credentials by incrementing an ID in the URL, guessing simple passwords or exploiting account users’ reuse of passwords from other compromised sites.

This scenario is hypothetical, but cases like it are increasing in frequency. Many companies, including retailers, airlines, hotel chains and financial services, offer a loyalty or rewards program to provide an incentive to customers to make purchases from them and remain loyal to their brand. Loyalty or rewards points can be regarded by consumers as another form of currency. That makes these accounts an attractive target for cybercriminals and has led to several data breaches in the past year.

When a customer’s points are compromised, it’s viewed as a direct hit to finances. Therefore, it is important for organizations that offer these programs to identify the root causes of these compromises and, more importantly, determine what they can do to help minimize the chance of their customers’ hard-earned loyalty points being stolen.

What is the price of loyalty programs? Read the full research report

Susceptibility to Phishing and Spear Phishing

A very high percentage of attacks are facilitated via phishing and spear phishing. Loyalty programs are not immune to these tactics. With an abundance of personal data on the Internet, it is trivial for an attacker to build a pretty accurate profile of a target in a short period. Job title and shopping preferences could be used to craft the perfect phishing email that unsuspecting victims will assume is legitimate.

Job title and shopping preferences can be used to craft a perfect phishing email that unsuspecting victims will assume is legitimate
Figure 1: Illustration of a potential spear phishing email.

An attacker could further doctor up the email above by including a weaponized document designed to exploit application vulnerabilities and perform a drive-by download. This results in malware infection. The attacker can then activate keylogging functionality to capture the users’ login credentials, exfiltrate information or further map out the network and infect other endpoints. An alternative would be to include a link to a phishing page that mimics the look and feel of a legitimate website.

Protect the Billions of Loyalty Accounts at Stake

U.S. consumers hold 3.3 billion memberships in customer loyalty programs, according to one 2015 study. Rewards programs are widely used across numerous industries. Following a breach, the very thing that these programs aim to achieve — loyalty — is broken. Reputation is tarnished, which costs organizations money to restore. There is also a financial cost associated with reimbursing customers whose points have been stolen and spent. All of these are reasons for organizations to want to focus on applying data security protocols to these programs.

Read the complete research report: The price of loyalty programs

Michelle Alvarez

Manager, IBM X-Force IRIS

Michelle Alvarez is the manager of the Threat Intelligence Production Team with IBM X-Force Incident Response and...