As the travel sector rejuvenates post-pandemic, it has become a prime target for automated threats, experiencing nearly 21% of all bot attack solicitations last year, according to Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva reveals that malicious bots constituted 44.5% of the industry’s web traffic in 2023—a substantial increase from 37.4% in 2022.
The summer travel season and major European sporting events are anticipated to amplify consumer demand for flights, accommodations, and other travel-related services. Consequently, Imperva cautions that the industry may witness a spike in bot activity. These bots exploit the sector through unauthorized data scraping, seat spinning, account takeovers, and fraud.
From Scraping to Fraud
Bots, which are software applications that perform automated tasks online, vary in purpose. While some tasks, like indexing websites for search engines or monitoring website performance, are legitimate, a growing number of them are not.
Malicious bots partake in a myriad of harmful activities, from denial-of-service attacks to transactional fraud. These automated threats can consume bandwidth, decelerate servers, and disrupt business operations even without directly pilfering sensitive data or conducting fraudulent transactions.
The travel industry has long contended with intricate bot issues, as malevolent actors can manipulate the various ways business logic is applied in travel applications. Here are some prevalent methods by which travel-related applications are targeted daily:
Fare Scraping: Bots aggregate pricing information, inventories, discounted fares, and more. Airlines are particularly vulnerable to scraping, as bots operated by Online Travel Agencies (OTAs), aggregators, and competitors often harvest data without permission. The sheer volume of bots scraping information can distort critical business metrics like look-to-book ratios and inflate API costs. For instance, one airline incurred $500,000 per month in API request fees due to a surge in bad bot traffic scraping its search API.
Seat Spinning: Bots repeatedly book and cancel airline seats or hotel rooms, creating a temporary hold on inventory without making an actual purchase. This activity falsely generates scarcity, making it appear as though fewer seats or rooms are available. As a result, it misleads customers and potentially drives up prices due to perceived high demand. This artificial shortage can lead to inventory mismanagement, making it difficult for genuine customers to find and book available seats or rooms. Consequently, travel companies may suffer revenue losses as real customers are deterred by unavailability or inflated prices caused by the fake demand. Seat spinning also disrupts the normal operations of airlines and hotels, leading to inefficiencies and increased operational costs associated with managing and monitoring such fraudulent activities. This deterioration in customer experience can lead to frustration as genuine customers face difficulties in finding and booking seats or rooms.
Account Takeover: The travel industry experienced the second-highest volume of account takeover (ATO) attempts in 2023, with 11% of all ATO attacks targeting the industry and 17% of all login requests associated with ATO. Cybercriminals target this industry due to the valuable personal information, stored payment methods, and loyalty points within user accounts, making them lucrative for identity theft and fraud. Time-sensitive, high-value travel transactions enable quick monetization, often before fraud is detected, resulting in financial losses, damaged customer trust, and harm to the company’s reputation. Moreover, addressing ATO demands substantial resources for customer support, reimbursements, and security enhancements. The industry’s interconnected systems and numerous entry points further exacerbate its vulnerability.
Not All Bots Are Created Equal
Imperva categorizes malicious bot activity into three tiers: simple, moderate, and advanced. Simple bad bots connect from a single, ISP-assigned IP address and use automated scripts without self-reporting as a browser. Moderate bad bots employ “headless browser” software that emulates browser technology, including the capability to execute JavaScript. Advanced bad bots mimic human user behavior, such as mouse movements and clicks, to spoof bot detection. They also utilize browser automation software or malware installed within real browsers to connect to sites.
Simple bad bots often perform basic web scraping, while advanced bad bots are necessary for more sophisticated fraud and account takeover attempts. The travel industry is particularly besieged by advanced bad bot activity, which accounted for 61% of bad bot activity last year. Advanced bad bot traffic poses a significant risk, as these bots can achieve their objectives with fewer requests than simple bad bots and are much more persistent.
Sophisticated bot operators frequently deploy techniques shared between moderate and advanced bad bots to evade detection. These evasive bots employ complex tactics like cycling through random IPs, entering via anonymous proxies, defeating CAPTCHA challenges, and more to circumvent bot management solutions.
Layering up Defenses
Bots accounted for nearly half of all traffic within the travel industry in 2023. This situation could worsen as consumer demand for travel grows and bot operators target loyalty rewards programs, carry out account takeover attacks, or commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams.
First, organizations must identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks. A comprehensive security strategy should encompass all digital touchpoints, including APIs and mobile applications.
Imperva suggests several quick wins, such as blocking outdated browser versions, restricting access from bulk IP data centers, and implementing detection strategies for signs of automation, like unusually fast interactions. Regular monitoring for traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, like single IP addresses, can provide valuable insights.
As bot technology advances, especially with AI, distinguishing between good and bad traffic will become more challenging. Therefore, Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for the travel industry.