As the travel industry rebounds post-pandemic, it faces an increasing threat from automated attacks, accounting for nearly 21% of all bot attack requests last year, according to research from Imperva, a Thales company. In its 2024 Bad Bot Report, Imperva found that bad bots constituted 44.5% of the industry’s web traffic in 2023, up from 37.4% in 2022.
The summer travel season and major European sporting events are expected to boost consumer demand for flights, accommodations, and other travel-related services. Consequently, Imperva warns of a potential surge in bot activity targeting the industry through unauthorized scraping, seat spinning, account takeovers, and fraud.
From Scraping to Fraud
Bots are software applications that run automated tasks across the internet. While some tasks, such as indexing websites for search engines, are legitimate, a growing number of bots engage in malicious activities, ranging from denial-of-service attacks to transaction fraud. These threats can consume bandwidth, slow servers, and disrupt business operations, even if they do not directly steal sensitive data or conduct fraudulent transactions.
The travel industry has long dealt with complex bot issues, as malicious actors exploit the various ways business logic is utilized in travel applications. Some common targeting methods include:
– Fare Scraping: Bots aggregate pricing information, inventories, and discounted fares, particularly targeting airlines. This unauthorized data harvesting skews business metrics like look-to-book ratios and inflates API costs. One airline faced $500,000 per month in API request fees due to a surge in bot traffic scraping its search API.
– Seat Spinning: Bots repeatedly book and cancel airline seats or hotel rooms, creating a temporary hold on inventory without actual purchases. This false scarcity misleads customers and potentially drives up prices due to perceived high demand, leading to inventory mismanagement and revenue losses for travel companies.
– Account Takeover: The travel industry experienced the second-highest volume of account takeover (ATO) attempts in 2023, with 11% of all ATO attacks targeting the industry and 17% of all login requests associated with ATO. Cybercriminals target the valuable personal information, stored payment methods, and loyalty points within user accounts, resulting in financial losses, damaged customer trust, and significant resource demands for addressing these attacks.
Not All Bots Are Created Equal
Imperva categorizes malicious bot activity into three categories: simple, moderate, and advanced. Simple bots use automated scripts without self-reporting as a browser. Moderate bots use headless browser software to simulate browser technology. Advanced bots mimic human user behavior, such as mouse movements and clicks, and use sophisticated techniques to evade detection.
The travel industry is particularly plagued by advanced bots, which accounted for 61% of bad bot activity last year. These bots achieve their goals with fewer requests and are more persistent. They use tactics like cycling through random IPs, entering via anonymous proxies, and defeating CAPTCHA challenges to circumvent bot management solutions.
Layering Up Defenses
Bots made up nearly half of all traffic within the travel industry in 2023, and the situation could worsen as consumer demand for travel grows. To mitigate these threats, Imperva recommends several strategies for IT security teams:
1.Advanced Traffic Analysis and Real-Time Bot Detection: Understanding exposure, especially around login functionalities, is crucial.
2. Blocking Outdated Browser Versions: This can prevent some bots from accessing the site.
3.Restricting Access from Bulk IP Data Centers: This can reduce the volume of bot traffic.
4.Implementing Detection Strategies for Signs of Automation: Look for unusually fast interactions, high bounce rates, or sudden traffic spikes.
Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for distinguishing between good and bad traffic, especially as bot technology advances with AI.
