As the travel industry recovers from the pandemic, it is increasingly being targeted by automated threats, with the sector accounting for nearly 21% of all bot attack requests last year. This comes from research by Imperva, a Thales company. In them 2024 Bad Bot ReportImperva finds that bad bots accounted for 44.5% of the industry’s web traffic in 2023—a significant jump from 37.4% in 2022.
The summer tourist season and major European sporting events are expected to increase consumer demand for flights, accommodation and other travel-related services. As a result, Imperva warns that the industry could see a spike in bot activity. These bots target the industry through unauthorized scraping, site spinning, account hijacking and fraud.
From scraping to scamming
Bots are programs that perform automated tasks on the Internet. Many of these tasks, from indexing websites for search engines to monitoring website performance, are legitimate, but a growing number are not.
Bad bots are involved in a variety of malicious activities, from denial-of-service attacks to transaction fraud. These automated threats can consume bandwidth, slow down servers, and disrupt business operations, even if they don’t directly steal sensitive data or commit fraudulent transactions.
The travel industry has long struggled with complex bot challenges, as attackers can use a variety of ways to exploit business logic in travel apps. These are some of the most common ways to target travel-related programs on a daily basis:
- Scraping fare: Using bots to collect information about prices, inventory, discounted rates, etc. Airlines are particularly vulnerable to scraping, as bots operated by Online Travel Agencies (OTAs), aggregators and competitors often collect data without permission. As a result, the large volume of bots collecting information can distort important business metrics such as view-to-book ratios and increase the cost of APIs. For example, one airline received $500,000 per month in API request fees due to a spike in bad bot traffic that was ending its search API.
- Seat rotation: Using bots to repeatedly book and cancel airline seats or hotel rooms, creating a temporary hold of inventory without an actual purchase. This activity falsely creates a shortage by giving the impression that fewer seats or rooms are available. As a result, this misleads customers and potentially raises prices due to perceived high demand. This artificial shortage can lead to mismanagement of inventory, making it difficult for legitimate customers to find and book available seats or rooms. Therefore, travel companies may suffer a loss of revenue as real customers are put off by the absence or inflated prices caused by false demand. Seat rotation also disrupts the normal operations of airlines and hotels, resulting in inefficiencies and increased operational costs associated with managing and monitoring such fraudulent activity. This degradation of the customer experience can lead to frustration as genuine customers face difficulties in finding and booking seats or rooms.
- Account capture: In 2023, the travel industry experienced the second highest number of account hijacking attempts (ATOs), with 11% of all ATO attacks targeting the industry and 17% of all login requests involving ATOs. Cybercriminals target this industry because of the valuable personal information, stored payment methods and loyalty points in user accounts, making them lucrative for identity theft and fraud. Time-sensitive, high-value travel transactions allow for quick monetization, often before fraud is discovered, resulting in financial losses, damage to customer trust, and reputational damage to the company. Moreover, the ATO’s solution requires significant resources to support customers, reimburse costs and improve security. The industry’s interconnected systems and multiple entry points further exacerbate its vulnerability.
Not all bots are created equal
Imperva classifies malicious bot activity into three categories: simple, moderate, and advanced. By connecting from a single ISP-assigned IP address, simple bad bots connect to sites or applications using automated scripts without self-reporting as a browser. Moderately bad bots use “headless browser” software that mimics browser technology, including the ability to execute JavaScript. Advanced bad bots mimic human behavior such as mouse movements and clicks to fool bot detection. They also use browser automation software or malware installed in real browsers to connect to sites.
Simple bad bots often perform basic website scrubbing activities, while advanced bad bots can be useful for more sophisticated fraud and account takeover attempts. The travel industry is particularly affected by bad bot activity, accounting for 61% of the total bad bots last year. Advanced bad bot traffic poses a significant risk as these bots can achieve their goals with fewer requests than simple bad bots and are much more persistent.
Sophisticated bot operators often use techniques common to moderate and advanced bad bots to avoid detection. These evasive bots use sophisticated tactics such as hopping through random IP addresses, logging in through anonymous proxies, overcoming CAPTCHA challenges, and more to bypass bot control solutions.
Building up protection
In 2023, bots accounted for almost half of all traffic in the travel industry. The situation could worsen as consumer demand for travel grows and bot operators target loyalty rewards programs, launch account takeover attacks or commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams.
First, organizations must identify risks through advanced traffic analysis and real-time bot detection. Understanding the exposure, especially around login functionality, is critical as they are prime targets for credential spoofing and brute force attacks. A comprehensive security strategy should cover all digital touchpoints, including APIs and mobile applications.
Imperva offers several quick wins, such as blocking outdated versions of browsers, restricting access from massive IP data centers, and implementing strategies to detect signs of automation such as unusually fast interactions. Regular monitoring of traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, such as individual IP addresses, can provide valuable information.
As bot technology develops, especially with artificial intelligence, it will become increasingly difficult to distinguish between good and bad traffic. Therefore, Imperva advocates multi-layered protection, including user behavior analysis, profiling and fingerprinting, as important measures for the travel industry.
