As the travel industry rebounds post-lockdown, Imperva, a Thales company specialising in cybersecurity has cautioned travellers against automated threats.
With the travel sector experiencing more than a fifth (21 per cent) of all attack traffic requests monitored last year, the Imperva 2024 Bad Bot Report found that bad bots accounted for 45 per cent of the global industry’s web traffic in 2023 – a significant jump from 37 per cent in 2022.
As travel continues to ramp up towards year-end, the industry will likely see a surge in bot activity. These bots target travel companies through seat spinning, unauthorised web scraping, account takeover, and fraud.
Seat spinning is particularly rife in Asia, as bots hold airline seats – often for up to a day – without making payment. This enables operators like unauthorised OTAs to resell these seats without risking upfront payment. If these operators fail to offload these seats, airlines can suddenly find seemingly fully booked flights set to depart far below their capacity – the result is significant financial and reputational damage.
In unauthorised web scraping, bots run by OTAs, aggregators and competitors access airlines’ web properties without permission to harvest data, which damage critical business insights and metrics like look-to-book ratios, and increase the fees airlines must pay their partners. One airline last year ended up paying US$500,000 per month for API requests due to the surge in bad bot traffic scraping its search API.
In terms of account takeovers (ATOs) and fraud, the travel industry experienced the second-highest volume of ATO attempts in 2023, with 11 per cent of all ATO attacks globally targeting the industry.
Cybercriminals zero in on the travel sector due to the valuable personal information, stored payment methods, and loyalty points within user accounts. Once they gain access to customer accounts, cybercriminals can steal loyalty points and fraudulently “buy” flights or hotel rooms for onward sale.
Imperva recommends that travel companies deploy a multi-layered defence strategy to mitigate these threats across all digital touchpoints, including APIs and mobile applications. Organisations must identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks.
“Quick wins for security teams would include blocking outdated browser versions, restricting access from bulk IP data centres, and implementing detection strategies for signs of automation, like unusually fast interactions,” said Daniel Toh, chief solutions architect, Asia Pacific and Japan, Imperva. “Analysing suspicious traffic sources – like single IP addresses – can provide valuable insights, as can regularly watching for traffic anomalies like high bounce rates and sudden spikes.”
He advised: “Monitor the news and stay abreast of new data breaches which threat actors can use to fuel automated account takeover attacks.”
The Imperva 2024 Bad Bot Report can be viewed here.
