Scenario: A financial corporation’s customer service center is inundated with calls in a short period regarding customers receiving notifications that their email address and password had been changed. The customers insist they were not the ones to update their profiles, and upon checking the accounts, the service specialists determine the customers’ rewards balances have been depleted.

An emergency response services (ERS) team is called in to investigate, and they find that, fortunately, the integrity of the server was not compromised. Account credential misuse, however, is confirmed — mostly likely due to cybercriminals who compromised accounts with large loyalty card balances and sold them on the Dark Web. The ERS team found that the Web application allowed attackers to access account credentials by incrementing an ID in the URL, guessing simple passwords or exploiting account users’ reuse of passwords from other compromised sites.

This scenario is hypothetical, but cases like it are increasing in frequency. Many companies, including retailers, airlines, hotel chains and financial services, offer a loyalty or rewards program to provide an incentive to customers to make purchases from them and remain loyal to their brand. Loyalty or rewards points can be regarded by consumers as another form of currency. That makes these accounts an attractive target for cybercriminals and has led to several data breaches in the past year.

When a customer’s points are compromised, it’s viewed as a direct hit to finances. Therefore, it is important for organizations that offer these programs to identify the root causes of these compromises and, more importantly, determine what they can do to help minimize the chance of their customers’ hard-earned loyalty points being stolen.

What is the price of loyalty programs? Read the full research report

Susceptibility to Phishing and Spear Phishing

A very high percentage of attacks are facilitated via phishing and spear phishing. Loyalty programs are not immune to these tactics. With an abundance of personal data on the Internet, it is trivial for an attacker to build a pretty accurate profile of a target in a short period. Job title and shopping preferences could be used to craft the perfect phishing email that unsuspecting victims will assume is legitimate.


Figure 1: Illustration of a potential spear phishing email.

An attacker could further doctor up the email above by including a weaponized document designed to exploit application vulnerabilities and perform a drive-by download. This results in malware infection. The attacker can then activate keylogging functionality to capture the users’ login credentials, exfiltrate information or further map out the network and infect other endpoints. An alternative would be to include a link to a phishing page that mimics the look and feel of a legitimate website.

Protect the Billions of Loyalty Accounts at Stake

U.S. consumers hold 3.3 billion memberships in customer loyalty programs, according to one 2015 study. Rewards programs are widely used across numerous industries. Following a breach, the very thing that these programs aim to achieve — loyalty — is broken. Reputation is tarnished, which costs organizations money to restore. There is also a financial cost associated with reimbursing customers whose points have been stolen and spent. All of these are reasons for organizations to want to focus on applying data security protocols to these programs.

Read the complete research report: The price of loyalty programs

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…