After a two-year hiatus,
travel is back in full swing - and so are the hackers, looking to take
advantage of your brand reputation and hack your customer accounts.
Now that restrictions
have lifted, the world has opened its shutters to some much-needed sunshine.
Holidays are finally back on the agenda and in-person industry conferences,
events and meetings are driving a resurgence of road warriors.
For the hard-hit travel
and hospitality industry, this comes as very welcome news. The pandemic
undoubtedly affected these businesses worse than many others after travel was
canceled and hotels, meeting spaces and restaurants were forced to close their
doors, in many cases for good.
But as the travel season
continues in full swing and people are busy booking their much-anticipated
summer getaways and business trips, be aware that not everyone visiting your
site or using your app are legitimate travelers.
When eager consumers
flock to travel booking sites, so do attackers, looking to steal user
information and make profits of their own.
The rise of the scammers
Cybercriminals looking to
take advantage of increased traveler traffic have an arsenal of tools at their
disposal to hit the industry and many rely on bots and automated attacks to
carry out their dirty work.
Using bots enables
attackers to scale their assaults, hitting travel and hospitality sites en
masse in an attempt to breach user accounts.
One of the most prominent
attacks targeting travel and hospitality sites today focuses on account
takeover (ATO). These threats involve attackers testing valid user credentials
on a travel site, which are normally obtained through dark web data dumps, and
then using bots to test out thousands of login attempts at once.
Subscribe to our newsletter below
Given that so many consumers will use the same passwords across multiple online
accounts, scammers will more often than not find numerous valid logins through
Once valid login
credentials have been identified, the attackers will then take over the account
to book flights and accommodations or even cash in air miles, points, honors
and rewards, with the goal of monetizing their theft in as many ways as
This causes significant
damage to the travel site operators and brands because not only are they losing
significant funds through the attacks, they also suffer reputational damage
when customers learn their accounts have been breached.
Web scraping is a common
method used by hackers to conduct account takeovers, and PerimeterX recently uncovered three noteworthy web scraping attacks targeting two of the most well-known consumer online travel
agencies in the US.
ranged from itemization attacks, wherein attackers scraped product and pricing
information, to search engine attacks where scammers flooded websites with bot
traffic in a bid to disrupt the customer experience.
also observed trying to scrape product reviews and testimonials from travel
agency sites. In this instance, it could be competitive sites trying to steal
genuine reviews to make their own websites look more favorable, or
cybercriminals trying to trick people looking for an original travel site to
visit a fake one instead, from where they can then steal their financial
These types of attacks not only disrupt the
customer experience as bots will clog up site bandwidth, but they also affect
look-to-book ratios. Bots look, but they don’t book, skewing those ratios. And
that’s a problem, considering that this ratio is the primary success metric
used by the travel and hospitality industry.
Given the risks these types of attacks can
cause an industry already in recovery mode, what exactly can travel and
hospitality organizations do to protect their sites and their customers?
Protecting against automated bot attacks
Given that all of these
attack scenarios are carried out through bots, travel and hospitality sites
need to understand their risks and implement solutions to detect and mitigate
non-human website traffic.
These simple steps will
assist with understanding the current risk of bot attacks and suggestions on
- Create a list of all
applications where end user information may be stored or that have value to an
attacker, such as personally identifiable information, membership points or stored credit cards
- Monitor the key applications for indicators of
attacks. Any activity outside of expected behaviors could be an indicator of an
- A large number of failed logins or large
number of password reset requests may be indicators of credential stuffing or account
- A spike in address change requests may be an
indicator of an account takeover attack.
- A spike in charge backs may be an indicator of
a carding attack.
- A high volume of cart abandonment may be an
indicator of a scraping attack.
- If the indicators of an attack exist, work
with the CDN or a bot mitigation vendor to trial their solution in monitor mode
to verify if attacks are present, ongoing or even escalating.
- Determine if a bot mitigation solution is
required and how it will integrate with your current security tech stack.
- Deploy the solution and monitor the change in
bot traffic. This may take a little bit
to tune the solution for your application, but over time most security teams
will see a vast decrease in bot-based traffic and an improvement in customer
and management satisfaction.
As more consumers seek to
book their trips, this uptick in nefarious activity is exposing new avenues for
scammers to carry out attacks. Travel and hospitality companies need to fight
back against these by deploying proactive solutions that can detect malicious
traffic before it causes chaos and further travel disruptions.
About the author...
Kusters is a senior manager and security evangelist with PerimeterX