Radware Ltd.

13/11/2024 | Press release | Archived content

How Malicious Bots Impact the Holiday Travel Season

The busy holiday travel season represents a critical business opportunity for airlines and travel companies. Ensuring the efficient and reliable operations of core systems and processes during this peak season is paramount to delivering seamless customer experiences, driving revenue, and solidifying customer loyalty. However, to achieve this the airline industry needs to navigate around a formidable adversary - sophisticated bots armed with the latest advancements in artificial intelligence (AI).

Modern bad bots are now capable of executing complex, multi-vector attacks that threaten to disrupt airline operations, damage customer trust, and undermine financial performance. The convergence of adopting AI-powered tools for malicious intent, increasing regulatory requirements, and the growing demand for air travel has created the perfect storm for malicious actors to exploit. This makes them particularly dangerous during the high-stakes holiday season when security teams are already stretched thin.

Three major bot attack types are particularly devastating in their impact on airlines and travel companies - price scraping, account takeover, and denial of inventory.

Price Scraping Attacks

Price scraping attacks, where automated bots extract pricing information from airline websites, have evolved far beyond basic web crawling, with today's scrapers utilizing sophisticated frameworks and AI-based techniques to closely mimic genuine user behavior and bypass traditional bot detection methods. With pricing becoming a competitive advantage in the airline industry, bad bots are increasingly focusing their efforts on collecting real-time pricing information and inventory availability. When done at such high volumes, this scraping activity adds expensive overheads in infrastructure requirements and beyond.

The Hidden Costs of Price Scraping

The financial impact of scraping extends to several critical areas:

  • GDS Query Costs: Each price check through a Global Distribution System (GDS) incurs a cost. When multiplied across the large volume of automated queries caused by bad bot activity, these fees can amount to significant unexpected expenses for major airlines. The fees associated with these excessive GDS queries can affect the broader pricing strategy of airlines as these additional costs need to be accounted for.
  • Skewed Look-to-Book Ratios: The inflation of look-to-book ratios, because of scraping bot traffic, can disrupt crucial business metrics leading to incorrect demand forecasting, affecting revenue and inventory management strategies.
  • Competitive Disadvantage: When competitors or unauthorized vendors leverage scraped data to undercut official pricing strategies, it affects sales and impacts revenue, along with customer relationships and brand value.

Account Takeover (ATO) Attacks

Account takeover attacks on the airline industry have become increasingly sophisticated, targeting accounts with stored payment information or accumulated loyalty points, making them particularly dangerous during the holiday travel season. Attackers use brute-force credential stuffing operations to test millions of stolen username and password combinations obtained from the dark web against the login workflows of airline websites.

Impact on Airlines and Customers

ATO attacks have far-reaching consequences for airlines and travel organizations:

  • Financial Losses: Airlines face substantial costs because of account takeovers with the increased risk of fraudulent purchases, high chargeback fees, customer lawsuits and litigation, and the additional resources required for investigation and remediation. A single compromised high-value loyalty account could result in thousands of dollars in losses.
  • Damaged Customer Trust: The compromise of personal and financial information in such attacks can severely damage customer relationships. When loyal customers or frequent flyers lose access to their accounts, the ensuing lack of confidence on an airline can lead to them switching to competitors and risk losing high-value business.
  • Regulatory Compliance: Account takeovers can trigger privacy non-compliance procedures and investigations under GDPR, CCPA, and other privacy regulations, potentially resulting in significant fines, penalties and persecution of C-level personas that carry corporate liability.

Denial of Inventory Attacks

Denial of Inventory attacks typically involves bad bots exploiting the ticket booking workflows of airlines to hold large blocks of seats without completing purchases. These bots often employ sophisticated algorithms to hold seats until the last possible moment before cancellation, making it difficult for genuine customers to secure bookings.

The most advanced attacks use distributed networks of bots that coordinate their activities to maximize impact and evade traditional detection methods, particularly on high-demand routes and during peak travel periods.

Business Impact

  • Direct Revenue Loss: When bots artificially block access to seats that could be sold to genuine customers, airlines lose potential revenue opportunities. This is particularly damaging during the holiday travel season and is compounded by the fact that such blocked seats can often go unsold despite being in high demand during the peak travel period.
  • Customer Experience Degradation: Artificial scarcity created by bots holding inventory leads to frustrated customers unable to book their desired flights. This often forces them to book at higher prices or switch to competition, resulting in loss of business and damaged customer relationships.
  • Pricing & Planning Disruption: The manipulation of available inventory by bad bots can impact the dynamic pricing algorithms and artificially push up ticket prices for genuine customers. These false signals on inventory availability can also impact revenue management and demand planning, leading to misguided strategic decisions.

The Solution: A Strategic Approach to Bot Management

The holiday season will always be a prime target for bot operators, but understanding the type and impact of these evolving threats is the first step in protecting both airline business operations and customer experiences. Airline companies must adopt a holistic approach to security that not only addresses bot threats in isolation but also integrates it as part of a comprehensive defense strategy.

Multi-layered Bot Protection: A multi-layered approach to bot protection should include preemptive protection measures, behavioral-based bot detection, and advanced mitigation. This involves proactively blocking unwanted IPs based on comprehensive threat intelligence, using AI-based algorithms to accurately identify the behavior of malicious traffic in real-time, and leveraging a wide range of mitigation methods to handle bad bot traffic.

Integrated Application Protection Suite: With sophisticated bad bots increasingly being used as part of a multi-faceted attack against organizations, the bot management solution should be able to seamlessly integrate and cross-correlate data from other application security modules to provide a coordinated defense, as part of an integrated application protection suite.

Managed Services for 24/7 Protection: Leveraging managed services to provide round-the-clock threat monitoring with a dedicated team of security professionals can ensure that any malicious activity is quickly investigated and mitigated. During peak holiday travel season when internal security teams are already stretched thin, the 24/7 support services provided by an expert team can play a crucial role in reducing the risk of a successful bot attack.

The key to mitigating bot attacks for a successful holiday travel season lies in balancing robust defense mechanisms with seamless customer experiences. Airlines and travel companies that invest in advanced bot management solutions will be better positioned to protect their revenue, maintain customer trust, and ensure long-term success in the industry.