Russian hackers are exploiting the dark web to steal air miles from UK residents and go on luxury holidays.
Hotels, flights and car rentals are discounted by up to 75% by dodgy "travel agents" who have already purchased the deals with stolen reward points taken from phishing scams and hacked airline accounts.
The Times reported that one British couple discovered their British Airways Avios points were stolen after a room was booked in Spain under the names Olga and Dmitry.
Revealed by research company Flashpoint, the problem is reportedly so severe that one US-based bank has blocked the purchasing of flights in Russia with the rewards scheme.
The hackers use bright and appealing online travel sites to trick customers. Flashpoint monitors activity on the dark web, which is commonly used for buying stolen property and drugs.
Criminals believe buying holiday packages with credit card details is too risky and that using reward points is safer, according to Flashpoint's Liv Rowley. "One advantage for criminals of using reward points is that the legitimate owner might not notice for months that their points have gone," Rowley said according to The Times. "They're confident enough to travel in their own names using the stolen points."
The researchers also revealed there were English and Spanish speaking hackers stealing reward points. Alphaby, a marketplace on the dark web, was used by about 3,600 customers to book holidays through an illegal hotel and car renting service. Alphaby was closed down in July following a police investigation.
Early this month, it was revealed some Russian hackers were selling a spy service for as little as $50. Using just an individual's name and date of birth and in some cases passport numbers, the hacker, who goes by the pseudonym Abrisk, can allegedly find past travel records or even sniff out details of a target's upcoming travel plans.
The point schemes and airlines affected were not named in the report. It did say there were "major" British names involved.