Travel sector needs to protect itself vs cybercriminals

Thales’ cybersecurity firm Imperva warned the travel industry that it has become a hot target for automated threats by cybercriminals over the past year.

Imperva’s 2024 Bad Bot Report showed how the travel industry experienced around 21 percent, almost a fifth, of all automated threats reported in the past year. Also, bad bots made up 45 percent of the global travel industry’s web traffic, marking an increase of 37 percent from 2022.

As this year draws to a close, the travel sector needs to brace itself for a surge in bot activity. Cybercriminals use these bots to target travel companies through a number of ways. Account takeovers are one, but seat spinning is more common, and both fraud and unauthorised web scraping remain possible.

The big issues

Seat spinning is particularly rife in Asia, as bots hold airline seats, often for up to a day, without making payment. This enables operators like unauthorised online travel agencies (OTAs) to resell these seats without risking upfront payment. 

If these operators fail to offload these seats, airlines can suddenly find seemingly fully booked flights set to depart far below their capacity. The result is significant financial and reputational damage.

Unauthorized web scraping is another major issue. Here, bots run by OTAs, aggregators, and competitors access airlines’ web properties without permission to harvest data. 

This can damage critical business insights and metrics like look-to-book ratios and even increase the fees airlines must pay their partners. One airline last year ended up paying US$500,000 per month for API requests due to the surge in bad bot traffic scraping its search API.

In terms of account takeovers (ATOs) and fraud, the travel industry experienced the second-highest volume of ATO attempts in 2023, with 11 percent of all ATO attacks globally targeting the industry. Cybercriminals zero in on the travel sector due to the valuable personal information, stored payment methods, and loyalty points within user accounts. 

Once the bad actors access customer accounts, they can steal loyalty points and fraudulently “buy” flights or hotel rooms for onward sale.

What needs to be done

Imperva recommends that travel companies deploy a multi-layered defense strategy to mitigate these threats across all digital touchpoints, including APIs and mobile applications. 

Organisations should identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks. 

Imperva’s chief solutions architect for the Asia-Pacific and Japan Daniel Toh suggests: “Quick wins for security teams would include blocking outdated browser versions, restricting access from bulk IP data centres, and implementing detection strategies for signs of automation, like unusually fast interactions.”

He also suggested that company IT departments analyse suspicious traffic sources to gain valuable insights, and to watch out for traffic anomalies like high bounce rates and sudden spikes.

Toh concluded with: “Lastly, monitor the news and stay abreast of new data breaches which threat actors can use to fuel automated account takeover attacks.”