Since the revival of the travel sector post-COVID, it faces escalating risks from automated menaces, with approximately 21% of all robotic assault requests directed towards it in the preceding year. This insight originates from a study by Imperva, a subsidiary of Thales. In the Report on Malevolent Bots for 2024 released by Imperva, it is outlined that malevolent bots made up 44.5% of the web traffic in the field in 2023—an abrupt surge from 37.4% in 2022.
The onset of the summer travel season and major sporting events in Europe is anticipated to stimulate a rise in the demand for flight bookings, lodging, and other travel-related amenities among consumers. Hence, Imperva cautions that a swell in robotic activities could be looming. These automated agents target the industry via unauthorized data scraping, deceptive seat reservations, account hijacking, and deceitful activities.
From Data Harvesting to Deception
Bots are coded software applications that enact automated functions across the world wide web. While many of these functions, such as indexing websites for search algorithms and overseeing website performance, are above board, a growing faction is not.
Malignant bots partake in a spectrum of deceitful operations, extending from denial-of-service assaults to fraudulent transactions. These automated perils can soak up bandwidth, decelerate servers, and disrupt operational workflows, even if they aren’t directly filching confidential data or executing deceptive transactions.
For an extended period, the travel sector has grappled with intricate bot dilemmas, as malevolent agents can capitalize on the diverse methods through which business algorithms are employed in travel applications. Below are some prevalent methods through which travel-associated applications are assailed regularly:
- Data Scavenging: Utilizing bots to compile pricing particulars, inventory statuses, discounted tariffs, and more. Airlines are particularly in the crosshairs of data scraping, with bots managed by Online Travel Agencies (OTAs), gatherers, and rival entities frequently snatching data without authorization. Consequently, the heightened bot traffic in capturing information can distort pivotal business metrics like look-to-book proportions and inflate API costs. For instance, one airline endured monthly expenses of $500,000 due to swollen bot activity in scraping its search API.
- Inventory Gaming: Using bots to recurrently reserve and revoke airline seats or accommodation rooms, inducing a transient hold on inventory without an actual purchase. This maneuver spurious stimuli, creating an illusion of scarce availability, thus erroneously suggesting dwindling seat or room availability. This ruse misleads patrons and could potentially hike prices due to an ostensible spike in demand. This artificial scarcity could lead to mishandling of inventory, complicating legitimate patrons’ search and booking of vacant seats or rooms. Consequently, travel firms might undergo revenue losses as authentic clients are dissuaded by the unavailability or inflated costs stirred by the fake demand. Inventory gaming also disrupts the typical airline and hotel operations, culminating in inefficiencies and escalated operational expenses affiliated with monitoring and managing such deceptive undertakings. This descent in customer experience could intensify dissatisfaction as genuine customers grapple with the challenge of locating and reserving seats or rooms.
- User Account Usurpation: In 2023, the travel industry encountered the second-highest surge in user account takeover (ATO) attempts, with 11% of all ATO attacks concentrating on the sector, with 17% of all login requests linked to ATO. Cyber offenders target this segment due to the valuable personal data, stored payment techniques, and loyalty points housed within user accounts, rendering them lucrative for identity theft and fraud. Time-critical, high-value travel transactions facilitate swift monetization, often fore detection, resulting in fiscal losses, impaired customer confidence, and tarnishing of the company’s reputation. Besides, dealing with ATO necessitates significant resources for customer service, compensations, and security upgrades. The industry’s interlinked structures and myriad entry points compound its susceptibilities.
Not All Automatons Are Equal
Imperva segregates malicious bot activity into three segments: simplistic, moderate, and sophisticated. Featuring from a solitary, ISP-designated IP address, rudimentary malevolent bots connect to sites or applications using automated scripts sans identifying themselves as a browser. Middle-tier malevolent bots leverage “headless browser” software, emulating browser technology that includes executing JavaScript. Advanced malevolent bots impersonate human user actions, like mouse gestures and clicks, to deceive bot discovery systems. They also employ browser automation software or malware integrated into genuine browsers to link to sites.
Simple malevolent bots often partake in rudimentary web scraping, whereas advanced malevolent bots might be vital for more intricate fraud and user account takeover efforts. The travel sector is besieged by sophisticated malevolent bot activity, accounting for 61% of malevolent bot activity the preceding year. The prevalence of advanced malevolent bot traffic poses conspicuous hazards, as they accomplish their objectives with fewer requests than simplistic malevolent bots and are considerably tenacious.
Refined bot operators frequently marry tactics shared by moderate and advanced malevolent bots to evade detection. These evasive bots resort to intricate maneuvers like cycling through arbitrary IPs, accessing via anonymous proxies, deflecting CAPTCHA assessments, and more to bypass bot management resolutions.
Intensifying Defense Measures
Bots engrossed nearly fifty percent of all traffic flowing through the travel sector in 2023. The scenario could deteriorate as consumer inclination for travel swells, and bot operators focus on loyalty incentive schemes, execute user account takeovers, or perpetrate fraud. To alleviate these menaces, Imperva suggests a plethora of strategies for IT security groups.
Primarily, enterprises must pinpoint hazards through progressive traffic interpretation and real-time bot identification. Grasping vulnerabilities, especially around login functions, is imperative as these are primary targets for credential stuffing and brute-force assaults. A comprehensive security blueprint should encapsulate all digital touchpoints, encompassing APIs and mobile apps.
Imperva commends various expedient victories, such as obstructing antiquated browser iterations, curbing entry from bulk IP data centers, and instituting detection techniques for indicators of automation, like anomalously brisk interactions. Routine monitoring for traffic anomalies, such as elevated bounce rates or abrupt spikes, may aid in detecting malevolent bot activity. Additionally, scrutinizing suspicious traffic origins, like individual IP addresses, can furnish invaluable insights.
As bot technology progresses, particularly with AI integration, distinguishing between benign and malevolent traffic will get increasingly arduous. Ergo, Imperva rallies for layered defenses, including user behavior scrutiny, profiling, and fingerprinting, as indispensable protocols for the travel industry.
About Author
