As the travel industry recovers after the pandemic, it is increasingly being targeted by automated threats, with the travel industry experiencing approximately 21% of all bot attack requests last year, according to research from Imperva, a Thales company. According to Imperva’s 2024 Fraudulent Bot Report, fraudulent bots will account for 44.5% of the travel industry’s web traffic in 2023, a significant increase from 37.4% in 2022.
The summer travel season and major European sporting events are expected to drive increased consumer demand for flights, accommodations and other travel-related services. As a result, Imperva warns that the industry could see a surge in bot activity, which will target the industry through unauthorized scraping, seat spinning, account takeover and fraud.
From scraping to fraud
Bots are software applications that perform automated tasks on the internet. Many of these tasks are legal, from indexing websites for search engines to monitoring website performance, but increasingly, they are illegal.
Bad bots are responsible for a variety of nefarious activities, from denial of service attacks to transaction fraud. Even if these automated threats aren’t directly stealing sensitive data or conducting fraudulent transactions, they can consume bandwidth, slow down servers, and disrupt business operations.
The travel industry has long struggled with complex bot problems, as malicious actors can exploit the many ways business logic is utilized in travel applications. Below are some of the most common ways travel-related applications are targeted every day:
- Fare collection: Bots are used to aggregate pricing information, inventory, discount fares, and more. Airlines are particular targets for scraping, because bots operated by online travel agencies (OTAs), aggregators, and competitors often collect data without permission. As a result, large numbers of bots scraping information can distort key business metrics like view-to-booking ratios and inflate API costs. For example, one airline incurred $500,000 per month in API request fees due to a surge in malicious bot traffic scraping its search API.
- Sheet Spinning: Bots are used to repeatedly book and cancel airplane seats or hotel rooms, temporarily putting inventory on hold without making an actual purchase. This activity creates false scarcity by making it appear that seats or rooms are scarce, which can mislead customers and inflate prices due to perceived high demand. This artificial scarcity leads to inventory mismanagement, making it difficult for legitimate customers to find and book available seats and rooms. As a result, travel companies can suffer revenue losses as real customers are deterred from purchases by the lack of availability or inflated prices caused by the fake demand. Seat spinning also disrupts airlines’ and hotels’ regular operations, leading to inefficiencies and increased operational costs associated with managing and monitoring such fraudulent activity. This degradation of customer experience can lead to frustration as genuine customers have difficulty finding and booking seats and rooms.
- Account Takeover: The travel industry will have the second highest number of account takeover (ATO) attempts in 2023, with 11% of all ATO attacks targeting the travel industry and 17% of all login requests related to ATO. Cybercriminals target this industry because the valuable personal information, stored payment methods, and loyalty points in user accounts make them ideal targets for identity theft and fraud. Time-sensitive, high-value travel transactions can often be quickly monetized before fraud is detected, leading to financial losses, eroded customer trust, and damaged company reputations. Additionally, dealing with ATO requires significant resources for customer support, refunds, and security enforcement. The industry’s interconnected systems and numerous entry points further exacerbate the industry’s vulnerability.
Not all bots are created equal
Imperva categorizes malicious bot activity into three categories: simple, moderate, and advanced. Simple bad bots connect from a single ISP-assigned IP address and use automated scripts to connect to sites and applications without self-reporting as a browser. Moderate bad bots use “headless browser” software that simulates browser technology, including the ability to run JavaScript. Advanced bad bots mimic human user behavior, such as mouse movements and clicks, to disguise bot detection. They also connect to sites using browser automation software or malware installed within the actual browser.
Simple bad bots often perform basic web scraping activity, while advanced bad bots may be required for more sophisticated fraud or account takeover attempts. The travel industry is particularly plagued by advanced bad bot activity, accounting for 61% of bad bot activity last year. Advanced bad bot traffic poses a greater risk because it can achieve its goals with fewer requests than simple bad bots and is more persistent.
Advanced bot operators often evade detection using techniques common to moderate to advanced malicious bots: these evasive bots use complex tactics to circumvent bot management solutions, such as random IP switching, sneaking in through anonymous proxies, and defeating CAPTCHA challenges.
Layered Defense
Nearly half of all travel industry traffic will come from bots in 2023. The situation is likely to worsen as consumer demand for travel increases and bot operators target loyalty rewards programs, execute account takeover attacks, and commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams:
First, organizations need to identify risks through advanced traffic analytics and real-time bot detection. Understanding risks, especially around login capabilities, is crucial as they are a prime target for credential stuffing and brute force attacks. A comprehensive security strategy must encompass all digital touchpoints, including APIs and mobile applications.
Imperva suggests some immediate measures, such as blocking outdated browser versions, restricting access from high-volume IP data centers, and implementing strategies to detect signs of automation, such as unusually fast interactions. Regularly monitoring traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, such as single IP addresses, can provide valuable insights.
As bot technology, especially AI, advances, it becomes more difficult to distinguish good from bad traffic, which is why Imperva advocates a layered defense that includes user behavior analytics, profiling and fingerprinting as essential for the travel industry.
