Are bots threatening the travel industry in 2021?
By Alex McConnell / 06th May 2021
In our recent webinar, Netacea’s Head of Threat Research, Matthew Gracey-McMinn, and Enterprise Sales Manager for Travel and Tourism, Graeme Harvey, were joined by Director of Spike Digital, Duncan Colman, to delve into the top bots and cybersecurity threats set to target the travel industry in 2021.
The reopening of the travel industry in 2021
In 2019, the travel and tourism industries contributed £106 billion to the British economy, supporting 2.6 million jobs. Since then, the Covid-19 pandemic is estimated to have cost the international tourism market upwards of $1 trillion as governments across the globe issued strict Covid travel restrictions and the travel market ground to a halt. Flights were cancelled, and even domestic travel was limited, meaning international tourism arrivals dropped by 87% between January 2020 and 2021.
As the industry prepares to get back on its feet, international travel remains uncertain, corporate bookings are almost redundant while the world continues to work from home, and the birth of the popular ‘staycation’ means only domestic travel has witnessed a boom in bookings during Q1. However, with an increase in bookings comes an increase in bot activity.
The travel bot problem
Netacea’s Threat Research team predicts to see the same bot threats as previous years hit the tourism industry hard in the coming months:
While the attacks may be similar to those witnessed before, what will change is the volume, speed and sophistication of such threats. Budgets and priorities have shifted significantly for travel organisations over the last 12 months; the challenge is remaining agile in an unpredictable market. Investing in cybersecurity – specifically a robust bot management solution – is key to achieving this ability to adapt to changing circumstances as the world reopens.
Price and availability scraping
In travel, web scraper bots are mainly used to collect fare and availability information. Threat actors advertise the scraped information at lower price points on secondary sites, motivated by the financial rewards of charging commissions, stealing personal data or generating advertising revenue.
76% of travel businesses surveyed by Netacea in 2020 said that price scraping represented the greatest automated threat to their business. If uncontrolled, scraping can impact top line revenue, bottom line profits and customer experience, including:
- Loss of competitive price advantage and potential auxiliary sales such as car rental and insurance
- Skewed look-to-book ratios (used by the travel industry to measure the number of people visiting a website compared to those who make a purchase)
- Inaccurate number of website viewers interested in a certain product or booking, leading to reduced conversions and misleading website analytics
- Gathering data used in more sophisticated attacks such as spinner or denial of inventory bots
Denial of inventory
Denial of inventory across travel websites involves making fake reservations for hotel rooms, restaurants, holidays and flights, and holding these bookings until the ticket, room or booking becomes sold out. The bot reserves the item for up to 20 minutes, during which time genuine customers perceive there to be no availability left, and the perpetrator attempts to sell the item on for a profit. Once the website has cleared the basket of the held reservation, a new bot will pick up that availability and repeat the process until the inventory is successfully sold.
The objectives of a denial of inventory attack include:
- Generating high and fast profit off the back of a fairly low risk opportunity
- Defeating the competition by sending customers to a rival website
- Disrupting availability by making an application unusable as part of an application-layer denial of service attack
Credential stuffing, credential cracking and phishing techniques are used as the first step in attacks which result in account takeover across the travel industry. Travel website accounts hold valuable assets such as membership points, frequent flyer miles, loyalty programmes or cards that can be sold on for a profit. Plus, saved payment details and personally identifiable information (PII) have value across the dark web.
85% of travel businesses surveyed by Netacea in 2020 said a credential stuffing attack represented the greatest risk to their business, the most common first step in an account takeover attack. After a threat actor uses username and password combinations to gain access, a secondary attack then makes a fraudulent booking on the account.
The impact of losing saved payment details and PII to threat actors is both financially and reputationally damaging. While the organisation may not be directly at fault, the cybersecurity breach means it is left to pay the ICO (or equivalent) fine, reimburse any affected customers, and face the PR repercussions of publicly losing customer data.
Keeping your travel organisation protected
As attacks on the travel industry evolve, it’s a crucial time for businesses in the travel and tourism sector to invest in their cybersecurity and put a dedicated bot management solution in place to deal with the most sophisticated threats.
Netacea’s revolutionary bot management technology is helping organisations across the travel and hospitality industry to detect and protect against malicious bot threats. Our consultative approach, paired with our server-side, machine learning technology, allows us to seamlessly integrate with your business and deliver accurate, intelligent and effective bot mitigation.
To find out how much bots could be costing your travel website in minutes, visit Netacea’s new bot calculator.