As the travel industry rebounds post-pandemic, it is increasingly targeted by automated threats, with the sector experiencing nearly 21% of all bot attack requests last year. That’s according to research from Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva finds that bad bots accounted for 44.5% of the industry’s web traffic in 2023—a significant jump from 37.4% in 2022.
The summer travel season and major European sporting events are expected to drive increased consumer demand for flights, accommodation, and other travel-related services. As a result, Imperva warns that the industry could see a surge in bot activity. These bots target the industry through unauthorized scraping, seat spinning, account takeover, and fraud.
From Scraping to Fraud
Bots are software applications that run automated tasks across the internet. Many of these tasks, from indexing websites for search engines to monitoring website performance, are legitimate, but a growing number are not.
Bad bots engage in various malicious activities, from denial-of-service attacks to transaction fraud. These automated threats can consume bandwidth, slow down servers, and disrupt business operations even when not directly stealing sensitive data or conducting fraudulent transactions.
The travel industry has long grappled with complex bot issues, as malicious actors can exploit the various ways in which business logic is utilized in travel applications. These are some of the most common ways travel-related applications are targeted daily:
- Fare Scraping: The use of bots to aggregate pricing information, inventories, discounted fares, and more. Airlines are particularly targeted by scraping, as bots operated by Online Travel Agencies (OTAs), aggregators, and competitors often harvest data without permission. As a result, the high volume of bots scraping information can skew critical business metrics like look-to-book ratios and inflate API costs. For example, one airline incurred $500,000 per month in API request fees due to a surge in bad bot traffic scraping its search API.
- Seat Spinning: The use of bots to repeatedly book and cancel airline seats or hotel rooms, creating a temporary hold on inventory without making an actual purchase. This activity falsely creates scarcity, making it seem like fewer seats or rooms are available. As a result, it misleads customers and potentially drives up prices due to perceived high demand. This artificial shortage can lead to inventory mismanagement, making it difficult for legitimate customers to find and book available seats or rooms. Consequently, travel companies may suffer revenue losses as real customers are deterred by unavailability or inflated prices caused by the fake demand. Seat spinning also disrupts the normal operations of airlines and hotels, leading to inefficiencies and increased operational costs associated with managing and monitoring such fraudulent activities. This deterioration in customer experience can lead to frustration as genuine customers face difficulties in finding and booking seats or rooms.
- Account Takeover: The travel industry experienced the second-highest volume of account takeover (ATO) attempts in 2023, with 11% of all ATO attacks targeting the industry and 17% of all login requests associated with ATO. Cybercriminals target this industry due to the valuable personal information, stored payment methods, and loyalty points within user accounts, making them lucrative for identity theft and fraud. Time-sensitive, high-value travel transactions enable quick monetization, often before fraud is detected, resulting in financial losses, damaged customer trust, and harm to the company’s reputation. Moreover, addressing ATO demands substantial resources for customer support, reimbursements, and security enhancements. The industry’s interconnected systems and numerous entry points further exacerbate its vulnerability.
Not All Bots Are Created Equal
Imperva categorizes malicious bot activity into three categories: simple, moderate, and advanced. Connecting from a single, ISP-assigned IP address, simple bad bots connect to sites or applications using automated scripts without self-reporting as a browser. Moderate bad bots use “headless browser” software that simulates browser technology, including the ability to execute JavaScript. Advanced bad bots mimic human user behavior, such as mouse movements and clicks, to spoof bot detection. They also use browser automation software or malware installed within real browsers to connect to sites.
Simple bad bots often perform basic web scraping activity, while advanced bad bots may be needed for more sophisticated fraud and account takeover attempts. The travel industry is particularly plagued by advanced bad bot activity, which accounted for 61% of bad bot activity last year. Advanced bad bot traffic poses a significant risk, as these bots can achieve their goals with fewer requests than simple bad bots and are much more persistent.
Sophisticated bot operators often employ techniques shared between moderate and advanced bad bots to evade detection. These evasive bots use complex tactics like cycling through random IPs, entering via anonymous proxies, defeating CAPTCHA challenges, and more to circumvent bot management solutions.
Layering up Defenses
Bots accounted for nearly half of all traffic within the travel industry in 2023. That situation could worsen as consumer demand for travel grows and bot operators target loyalty rewards programs, carry out account takeover attacks, or commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams.
First, organizations must identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks. A comprehensive security strategy should encompass all digital touchpoints, including APIs and mobile applications.
Imperva suggests several quick wins, such as blocking outdated browser versions, restricting access from bulk IP data centers, and implementing detection strategies for signs of automation, like unusually fast interactions. Regular monitoring for traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, like single IP addresses, can provide valuable insights.
As bot technology advances, especially with AI, distinguishing between good and bad traffic will become more challenging. Therefore, Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for the travel industry.