The Impact of Bad Bots in Travel

Travel sites are frequently affected by aggregation services that use scraping bots to discover and publicise the availability of products or services such as flights, hotels or car rentals. Threat actors advertise the scraped information at lower price points on a secondary site, motivated by the financial rewards of charging commissions, stealing personal data or generating advertising revenue. This is a growing problem due to the dynamic nature of travel pricing.  

Price scraping on travel websites leads to loss of competitive price advantage and potential upsells such as car rental and insurance. High look-to-book ratios caused by malicious bots can lead to problems with third-party services such as breaching service limits and increased charges. 

Our data scientists have observed travel sites with 90% scraper bot traffic, which inevitably impacts top line revenue, bottom line profits and customer experience. The complexity and range of web scrapers hitting every website requires a sophisticated solution that quickly and accurately collects information and identifies patterns for the successful mitigation of travel cybersecurity threats.

Denial of inventory involves selecting and holding items from a limited inventory or stock, but never actually purchasing themso that genuine customers are unable to buy the items themselves. This type of attack is regularly seen and is a growing problem across the travel cybersecurity landscape. 

These ticket spinning bots are used to hoard inventory and programmed to carry out reservations typically on flights, hotels and holidays until the point of payment. This reserves the booking for up to 20 minutes, during which time real customers perceive there to be no availability and the perpetrator attempts to sell the seats on for a profit. 

Once the website has cleared the basket of the held reservation, a new bot will pick up that availability and repeat the process until the inventory is successfully sold. 

Account takeover (ATO) attacks on the online travel market are carried out using credential stuffing techniques to allow attackers access to customer accounts. These accounts hold valuable items such as membership points, frequent flyer miles, loyalty programmes or cards that can be sold on for a profit. 

As loyalty points in travel are often only checked a handful of times a year there is a huge window of opportunity for the threat actor to attack, before the genuine customer realises points have been stolen. 

This has a double-edged impact on the targeted travel company who must refund the points to the legitimate customer and pay for the goods or service that the threat actor has received using the stolen loyalty points. A robust travel cybersecurity bot strategy is key to preventing damage to brand reputation, customer loyalty and finance. 

Try Netacea

Empower your business with control over bot traffic and the ability to detect bots and block malicious traffic in real-time.

  • Machine Learning Bot Detection
  • Access Shared Threat Intelligence
  • Rapid Attack Response & Real-Time Insight
  • Quick & Seamless WAF/CDN Integration
Get a Demo