Millions of Hilton HHonors* rewards points are being stolen and sold online traded in by scammers for gift cards and goods.
Points appear to be stolen through brute force attacks. One user on a forum has released simple capture code alleged to have been used to breach accounts protected only with a four-digit PIN on the Hilton site.
The company has yet to acknowledged a breach, although customers claim it has reimbursed stolen credit to individuals reporting theft. It has been contacted for comment.
Scammers on website leakforums appeared to begin trading Hilton HHonors points three months ago and had sold scores of accounts brimming with up to a million points.
One eager scammer appeared to sell off 833,000 points for $20 worth of Bitcoins, while dozens more sold accounts loaded with tens of thousands of points.
Website nerdwallet valued a point at half a cent which could be spent on cheap or expensive hotels ranging between 5500 and 50,000 a night, or on flights or merchandise.
One vendor's Hilton Honor point pricelist. © The Register.
Scammers opted instead to trade in points for gift cards where 322,660 points would land an Aussie buyer $500 at JB HiFi and 32,2660 a $100 card at Bunnings or The Good Guys.
Based on some advertised stolen point prices, a buyer could net a cool $2000 gift card at Australia's Harvey Norman by spending just $18.50 to net the required 1,224,375 points.
US buyers could spend 50,000 points for $100 gift cards at US Best Buy and other popular retail chains.
Scammers claimed on some forums to have purchased phones and electronics with the points, with a risky few having stayed in hotels - a feat that seems dangerous given it could lead to buyers being caught.
Part of an alleged script used to steal accounts. © The Register.
Prices for points varied as criminal vendors competed for custom. One bargain vendor sold 240,000 points for $3.50 and had "plenty of accounts" including some with more than 400,000. Others sold for site credits.
Cybercrime blogger Brian Krebs, reporting on a tip off from one of the forum's victims, revealed criminals had spent his 250,000 Hilton HHonors points on $1200 worth of cheap hotel reservations along the US East Coast.
While Vulture South waited on word from Hilton, users who monitored the operations of reward schemes said the company last month introduced a CAPTCHA to the login process, a measure that would not stop brute force attacks.
Hilton appeared to store the PINs unencrypted, since passwords were emailed in cleartext, El Reg has confirmed. ®
*Bootnote: HHonors is how the brand is spelled.