Now that restrictions have lifted, the world has opened its shutters to some much-needed sunshine. Holidays are finally back on the agenda and in-person industry conferences, events and meetings are driving a resurgence of road warriors.
For the hard-hit travel and hospitality industry, this comes as very welcome news. The pandemic undoubtedly affected these businesses worse than many others after travel was canceled and hotels, meeting spaces and restaurants were forced to close their doors, in many cases for good.
But as the travel season continues in full swing and people are busy booking their much-anticipated summer getaways and business trips, be aware that not everyone visiting your site or using your app are legitimate travelers.
When eager consumers flock to travel booking sites, so do attackers, looking to steal user information and make profits of their own.

The rise of the scammers

Cybercriminals looking to take advantage of increased traveler traffic have an arsenal of tools at their disposal to hit the industry and many rely on bots and automated attacks to carry out their dirty work.
Using bots enables attackers to scale their assaults, hitting travel and hospitality sites en masse in an attempt to breach user accounts.
One of the most prominent attacks targeting travel and hospitality sites today focuses on account takeover (ATO). These threats involve attackers testing valid user credentials on a travel site, which are normally obtained through dark web data dumps, and then using bots to test out thousands of login attempts at once.

Given that so many consumers will use the same passwords across multiple online accounts, scammers will more often than not find numerous valid logins through the attack.
Once valid login credentials have been identified, the attackers will then take over the account to book flights and accommodations or even cash in air miles, points, honors and rewards, with the goal of monetizing their theft in as many ways as possible.
This causes significant damage to the travel site operators and brands because not only are they losing significant funds through the attacks, they also suffer reputational damage when customers learn their accounts have been breached.
Web scraping is a common method used by hackers to conduct account takeovers, and PerimeterX recently uncovered three noteworthy web scraping attacks targeting two of the most well-known consumer online travel agencies in the US.
The attacks ranged from itemization attacks, wherein attackers scraped product and pricing information, to search engine attacks where scammers flooded websites with bot traffic in a bid to disrupt the customer experience.
Bots were also observed trying to scrape product reviews and testimonials from travel agency sites. In this instance, it could be competitive sites trying to steal genuine reviews to make their own websites look more favorable, or cybercriminals trying to trick people looking for an original travel site to visit a fake one instead, from where they can then steal their financial details.
These types of attacks not only disrupt the customer experience as bots will clog up site bandwidth, but they also affect look-to-book ratios. Bots look, but they don’t book, skewing those ratios. And that’s a problem, considering that this ratio is the primary success metric used by the travel and hospitality industry.
Given the risks these types of attacks can cause an industry already in recovery mode, what exactly can travel and hospitality organizations do to protect their sites and their customers?

Protecting against automated bot attacks

Given that all of these attack scenarios are carried out through bots, travel and hospitality sites need to understand their risks and implement solutions to detect and mitigate non-human website traffic.
These simple steps will assist with understanding the current risk of bot attacks and suggestions on mitigation.

  • Create a list of all applications where end user information may be stored or that have value to an attacker, such as personally identifiable information, membership points or stored credit cards

  • Monitor the key applications for indicators of attacks. Any activity outside of expected behaviors could be an indicator of an attack. 

    • A large number of failed logins or large number of password reset requests may be indicators of credential stuffing or account takeover attacks.  

    • A spike in address change requests may be an indicator of an account takeover attack. 

    • A spike in charge backs may be an indicator of a carding attack. 

    • A high volume of cart abandonment may be an indicator of a scraping attack. 

  • If the indicators of an attack exist, work with the CDN or a bot mitigation vendor to trial their solution in monitor mode to verify if attacks are present, ongoing or even escalating.

  • Determine if a bot mitigation solution is required and how it will integrate with your current security tech stack.

  • Deploy the solution and monitor the change in bot traffic.  This may take a little bit to tune the solution for your application, but over time most security teams will see a vast decrease in bot-based traffic and an improvement in customer and management satisfaction.

As more consumers seek to book their trips, this uptick in nefarious activity is exposing new avenues for scammers to carry out attacks. Travel and hospitality companies need to fight back against these by deploying proactive solutions that can detect malicious traffic before it causes chaos and further travel disruptions.

Robert Kusters is a senior manager and security evangelist with PerimeterX.