Cybercriminals target top travel sites during peak season

A new report has revealed that cybercriminals are exploiting the travel and hospitality industry’s peak season, leveraging the increase in online traffic to perpetrate attacks. Cequence has disclosed that its research found every single one of the top 10 travel and hospitality websites has serious, public-facing vulnerabilities ahead of the Labour Day holiday.

The Cequence CQ Prime Threat Research Team undertook a thorough analysis of these prominent sites using Cequence API Spyder. This SaaS-based discovery tool offers an attacker’s perspective into an organisation’s public-facing assets, identifying external edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities.

According to the findings, a pattern has emerged correlating increased online activity during vacation and holiday periods with a surge in cyberattacks. Supporting data from Vercara, which is now part of Digitcert, highlighted that Domain Name System (DNS) queries and Distributed Denial-of-Service (DDoS) attacks also spike during these peak periods.

Critical vulnerabilities were found to be alarmingly widespread. The report noted that all 10 companies had significant public-facing vulnerabilities, with four of the companies accounting for 91% of the severe flaws. These vulnerabilities included weaknesses that could allow man-in-the-middle (MITM) attacks, enabling attackers to intercept and manipulate communications between the users and the companies.

Additionally, 8 out of the 10 companies had publicly accessible non-production or internal application servers. These servers are often unmonitored and unmanaged, presenting an opportunity for attackers. One company was found to have over 300 such servers.

The issue of 'cloud sprawl' was also highlighted. Often driven by acquisitions, siloed departments, or a lack of a clearly defined cloud strategy, cloud sprawl leads to an increase in public-facing cloud instances, thereby expanding the attack surface. The analysed travel and hospitality sites utilised between 5 and 21 different hosting providers, demonstrating the complexity of managing multiple cloud environments.

The data also underscored a marked increase in cyberattacks during October, which coincides with the start of the winter travel holiday season. November 2023 recorded the highest number of DDoS attacks against the travel industry for the entire year, nearly doubling the second-highest month.

William Glazier, Director of Threat Research at Cequence, remarked, “Travellers are at risk during peak vacation times, with cybercriminals seizing the opportunity to strike.” He added, "Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses. Frequent attacks can undermine consumer trust in digital platforms. To mitigate these risks, organisations need to prioritise API security, while travellers should stay vigilant and practice robust cybersecurity."

While companies scramble to address these vulnerabilities, they must also prepare for the upcoming Payment Card Industry Data Security Standard (PCI DSS) Version 4.0, which becomes mandatory from 31 March 2025. Failing to comply with PCI DSS could result in significant fines, penalties, transaction disruptions, and heightened risk of data breaches, which might damage a business’s reputation and erode customer trust.

Organisations are advised to prioritise strengthening their API security and adopt proactive measures to mitigate these risks. They should also deploy robust protection against both manual and automated AI attacks. Meanwhile, travellers are urged to remain vigilant and employ strong cybersecurity practices to safeguard their personal and financial information.