Skip to Content

Crooks Cash in Stolen Rewards Points for Flights and Hotels

It’s nice to take a free trip using credit card rewards. Unfortunately, criminal gangs feel the same way and are stealing other people’s rewards points—including those for British Airways and booking site Orbitz—in order to resell them on the Internet.

The rewards scam, which began in Russia but has since spread to English and Spanish speaking markets, represents yet another frontier for cyber criminals to make money by hacking consumer accounts.

According to Flashpoint, a service that monitors activity on the so-called dark web, the crooks are running full-blown travel agencies that let consumers purchase flights or hotel and car packages at a steep discount.

In a blog post describing the scams, Flashpoint also notes that users are encouraged to make reservations in their own names, and that some sites even have community groups where people post vacation photos.

Get Data Sheet, Fortune’s technology newsletter.

According to another source familiar with the dark web, which lets people conduct illegal transactions anonymously, there are numerous types of rewards points for sale. Other familiar brands include Southwest Airlines and Canada-based Aeroplan.

In response to a question from Fortune about why the companies don’t put a stop to this, Flashpoint said that some brands use software to detect unusual booking patterns. The problem, however, can be hard to detect since many consumers don’t pay close attention to the balances in their various rewards programs, which means thefts can go undetected for long periods of time.

Southwest provided the following statement:

“Southwest has a team that monitors the use of Rapid Rewards points online to ensure Customers are adhering to our polices. We address any misuse identified and implement safeguards to minimize unauthorized activity.”

The other companies did not immediately respond to a request for comment.

According to Flashpoint, the rise of hackers stealing rewards points has been facilitated by the use of “brute force” software, which allows the user to guess a large number of passwords in a short amount of time:

After obtaining a user’s password through brute forcing, cybercriminals can potentially access any rewards points associated with the compromised accounts. A symbiotic relationship exists between the expanding presence of these tools and the marketplace for compromised credentials.

In order to prevent hackers stealing their rewards programs, Flashpoint advises using long and complex passwords since those are harder to guess.

This story was updated at 7:45pm ET with Southwest statement.