Travel is back, and with it comes the scams

30-07-22

After a two-year hiatus, travel is back in full swing, and so are hackers, looking to take advantage of your brand's reputation and hack into your customers' accounts.

Now that restrictions have been lifted, the world has opened its shutters to some much-needed sunshine. Holidays are back on the agenda and in-person industry conferences, events and meetings are bringing road warriors back to life.

For the hard-hit travel and hospitality industry, this is very positive news. The pandemic undoubtedly affected these businesses worse than many others, after travel was cancelled and hotels, meeting spaces and restaurants were forced to close their doors, in many cases for good.

But as the travel season continues in full swing and people are busy booking their long-awaited summer getaways and business trips, keep in mind that not everyone who visits your site or uses your app is a legitimate traveller.

When eager consumers flock to travel booking sites, so do attackers, looking to steal users' information and make their own profits.

The rise of the scammers

Cybercriminals looking to take advantage of the surge in traveller traffic have an arsenal of tools at their disposal to hit the industry and many rely on bots and automated attacks to carry out their dirty work.

The use of bots allows attackers to expand their assaults, targeting travel and hospitality sites en masse in an attempt to breach user accounts.

One of the most prominent attacks targeting travel and hospitality websites focuses on account takeover (ATO). These threats involve attackers testing valid user credentials on a travel site, typically obtained through dark web data dumps, and then using bots to test thousands of login attempts at a time.

Since many consumers use the same passwords across multiple online accounts, fraudsters often find numerous valid logins through the attack.

Once valid login credentials are identified, the attackers will take over the account to book flights and accommodation or even collect airline miles, points, honours and rewards, with the aim of monetising their theft in any way possible.

This causes significant damage to travel site operators and brands, as they not only lose significant funds through attacks, but also suffer reputational damage when customers learn that their accounts have been breached.

Web scraping is a common method used by hackers to conduct account takeovers, and PerimeterX recently uncovered three notable web scraping attacks targeting two of the most well-known online travel agencies in the United States.

The attacks ranged from attacks on product and pricing information, to search engine attacks in which fraudsters flooded the websites with bot traffic in an attempt to disrupt the customer experience.

Bots were also observed trying to steal product reviews and testimonials from travel agency sites. In this case, it could be competitor sites trying to steal genuine reviews to make their own websites look more favourable, or cybercriminals trying to trick people looking for a genuine travel site into visiting a fake one instead, from where they can steal their financial data.

These types of attacks not only disrupt the customer experience as bots clog the site's bandwidth, but also affect the relationship between search and booking. Bots look, but they don't book, which distorts those ratios. And that's a problem, considering that this ratio is the main metric of success used by the travel and hospitality industry.

Protection against automated bot attacks

Since all of these attack scenarios are conducted through bots, travel and hospitality sites need to understand their risks and implement solutions to detect and mitigate non-human website traffic.

These simple steps will help understand the current risk of bot attacks and suggestions for mitigation.

• Create a list of all applications where end-user information may be stored or have value to an attacker, such as personally identifiable information, membership points or stored credit cards.

• Monitor key applications for indicators of attacks. Any activity outside of expected behaviours could be an indicator of an attack. 

• A large number of failed logins or a large number of password reset requests can be indicators of credential stuffing or account takeover attacks.  

• A spike in change of address requests may be an indicator of an account takeover attack. 

• A spike in chargebacks may be an indicator of a carding attack. 

• A high volume of cart abandonment may be an indicator of a scraping attack. 

• If there are indicators of an attack, work with the CDN or a bot mitigation provider to test your solution in monitoring mode to verify if attacks are present, ongoing, or even increasing.

• Determine if a bot mitigation solution is necessary and how it will integrate with your current security technology stack.

• Deploy the solution and monitor the change in bot traffic.  This may take a little time to adjust the solution to your application, but over time most security teams will see a large decrease in bot-based traffic and an improvement in customer satisfaction and management.

As more consumers look to book travel, this increase in nefarious activity is exposing new avenues for fraudsters to conduct attacks. Travel and hospitality companies must fight back by deploying proactive solutions that can detect malicious traffic before it causes chaos and further travel disruption.