Scenario: A financial corporation’s customer service center is inundated with calls in a short period regarding customers receiving notifications that their email address and password had been changed. The customers insist they were not the ones to update their profiles, and upon checking the accounts, the service specialists determine the customers’ rewards balances have been depleted.

An emergency response services (ERS) team is called in to investigate, and they find that, fortunately, the integrity of the server was not compromised. Account credential misuse, however, is confirmed — mostly likely due to cybercriminals who compromised accounts with large loyalty card balances and sold them on the Dark Web. The ERS team found that the Web application allowed attackers to access account credentials by incrementing an ID in the URL, guessing simple passwords or exploiting account users’ reuse of passwords from other compromised sites.

This scenario is hypothetical, but cases like it are increasing in frequency. Many companies, including retailers, airlines, hotel chains and financial services, offer a loyalty or rewards program to provide an incentive to customers to make purchases from them and remain loyal to their brand. Loyalty or rewards points can be regarded by consumers as another form of currency. That makes these accounts an attractive target for cybercriminals and has led to several data breaches in the past year.

When a customer’s points are compromised, it’s viewed as a direct hit to finances. Therefore, it is important for organizations that offer these programs to identify the root causes of these compromises and, more importantly, determine what they can do to help minimize the chance of their customers’ hard-earned loyalty points being stolen.

What is the price of loyalty programs? Read the full research report

Susceptibility to Phishing and Spear Phishing

A very high percentage of attacks are facilitated via phishing and spear phishing. Loyalty programs are not immune to these tactics. With an abundance of personal data on the Internet, it is trivial for an attacker to build a pretty accurate profile of a target in a short period. Job title and shopping preferences could be used to craft the perfect phishing email that unsuspecting victims will assume is legitimate.


Figure 1: Illustration of a potential spear phishing email.

An attacker could further doctor up the email above by including a weaponized document designed to exploit application vulnerabilities and perform a drive-by download. This results in malware infection. The attacker can then activate keylogging functionality to capture the users’ login credentials, exfiltrate information or further map out the network and infect other endpoints. An alternative would be to include a link to a phishing page that mimics the look and feel of a legitimate website.

Protect the Billions of Loyalty Accounts at Stake

U.S. consumers hold 3.3 billion memberships in customer loyalty programs, according to one 2015 study. Rewards programs are widely used across numerous industries. Following a breach, the very thing that these programs aim to achieve — loyalty — is broken. Reputation is tarnished, which costs organizations money to restore. There is also a financial cost associated with reimbursing customers whose points have been stolen and spent. All of these are reasons for organizations to want to focus on applying data security protocols to these programs.

Read the complete research report: The price of loyalty programs

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today