Malicious bots disrupt travel sector, causing financial strain

Research from Thales indicates a substantial rise in malicious bot activity within the travel sector, emphasising the significant impact on various facets of the industry.

According to the Imperva 2024 Bad Bot Report, only 51.1% of internet traffic in the travel industry is generated by humans, while 44.5% is attributed to malicious bots. This statistic illustrates a notable increase from 37% in the previous year. Of these bots, 66.1% employ advanced techniques to simulate human behaviour.

Thales highlights several critical ways in which these malicious bots are affecting the travel sector:

Fare Scraping: Bots often collect airline data, such as prices and discounts, without permission. This practice, generally executed by online travel agencies (OTAs) and competitors, skews important metrics like look-to-book ratios and escalates API costs. One airline reported incurring an additional USD $500,000 in monthly API fees due to bot traffic.

Seat Spinning: Here, bots make seat reservations on flights without actual payments, releasing these seats at the last minute or reselling them at a premium. This behaviour is particularly problematic on the day of departure, when flights that appear fully booked suddenly have available seats, affecting both revenue and reputation for airlines.

Unauthorised Scraping: In contrast to fare scraping, this issue results in higher look-to-book ratios and leads to lost revenue from OTAs who do not pay booking fees. Airlines also experience reduced visibility into legitimate customer activities.

Loyalty Programme Account Takeover: Criminals employ brute-force attacks on login pages to gain access to customer accounts, subsequently stealing loyalty points and transferring them to other accounts. This practice leads to disgruntled customers, increased customer service costs, forensic investigation expenses, and challenges in maintaining customer retention.

Credit Card Fraud: Similar tactics are used by criminals to steal credit card information used on travel sites, causing financial losses and compromising customer trust. The report indicates that 17% of all login requests to travel websites and applications were malicious account takeover attempts. The travel sector is also the second most targeted industry, accounting for 11.5% of such attacks recorded and mitigated by Imperva.

The findings are a segment of broader trends from the Bad Bot Report, which revealed that bots constitute nearly half (49.6%) of overall internet traffic.

Nanhi Singh, General Manager of Application Security at Imperva, a Thales company, elaborates on the findings. "The travel sector has bounced back after the disruptions caused by the pandemic but now faces a growing threat in the form of malicious bots," Singh remarks. "The knock-on effect of malicious, automated traffic needs to be mitigated, as failing to do so not only impacts airlines but also poses significant risks to customer data. This shift is changing the way organisations approach building and protecting their websites and applications."

Singh urges organisations within the travel industry to invest in bot management and API security tools to counter these threats.

Maintaining vigilance against suspicious activities can help identify potential bot activity. Indicators include unusual price fluctuations, slow website performance, frequent CAPTCHA challenges, unexpected changes in availability, and suspicious emails or messages. Identifying these signs can prevent or mitigate the adverse effects of malicious bot traffic on both businesses and consumers.