Bad bot activities harm the travel industry in several ways
Airlines and travel industry operators, badly impacted by Covid restrictions, are now starting to resume operations as more countries lift their travel blockades. Even before the pandemic started, they were constantly being attacked by bots being used to carry out several harmful activities to the detriment of their businesses and customers. As travel operators in general, and airlines in particular resume full-fledged operations, bot attacks on their websites and applications are again escalating.
Bots regularly scrape their prices and schedules (OWASP Automated Threat OAT-011 ─ Scraping), block seat inventory which denies legitimate travelers from buying tickets (OAT-021 ─ Denial of Inventory), and also make pricing queries without a ticket purchase, which significantly drive up costs in terms of GDS (Global Distribution System) queries. Unchecked bot traffic also skews visitor statistics (OAT-016 ─ Skewing) and makes it hard for these enterprises to get accurate figures that help their operational, planning, and marketing teams effectively do their work.
An overview of how bots impacted an APAC airline
One of our customers is an airline that serves the Asia-Pacific region with low cost domestic and international flights, operating out of several hubs in the region. It is now one of the largest regional carriers based on the number of passengers flown. Along with its rapid expansion came an ever growing number of bot attacks on its website, mobile application, and its APIs to scrape its ticket prices, make unwanted GDS price queries, and hijacked seat inventory that left genuine travelers unable to buy tickets. Apart from these bot attacks, the growing volumes of bot traffic also skewed the airline’s Web analytics and hindered its marketing and operational teams from being able to plan campaigns and strategy based on actual visitor volumes.
FIGURE 1: Overview of bot attacks by type across key sections of the airline’s website
Look-to-book ratio: a key performance indicator for the travel industry
In the airline and travel industries, one of the primary performance indicators is the “look-to-book ratio”, which for an airline would be the ratio of visitors to its website to the number of tickets actually sold. The look-to-book ratio has increased from a low of around 10:1 in years past and can often exceed 1000:1 today. This is because the overall growth in the number of travelers and increasingly aggressive price searches made by consumers as well as bots used by competitors and price checking services. Many travelers today make multiple searches using several price-comparison websites and overall, many more searches occur today before a booking is made. Added to the consumer demand for lower fares is the fact that an airline’s competitors and price comparison sites can regularly deploy bots at frequent intervals to make ticket price inquiries, both to stay abreast of their competitors and to provide pricing data requested by genuine travelers.
Bot-initiated GDS queries significantly drive up costs
Another factor of concern to the industry are the growing volumes and costs of GDS queries. GDS networks provide information on ticket availability and pricing, as well as transactions between travel agencies and airlines, hotels, car rental firms and other travel services providers. With typical GDS queries costing an airline roughly US$ 0.20, it’s easy to see how bot-initiated queries that never result in a ticket purchase can quickly add up to several million dollars every year in wasted expenses. The graph below shows the number of blocked bots that were attempting to make price queries over a 20-day period in March 2021.
FIGURE 2: Bad bot hits blocked from making GDS queries (March 10-30, 2021)
Account Takeover (ATO) attacks on travel operators greatly hurt their brands
Another type of bot activity on the airline’s website was in the form of Account Takeover (ATO) attacks. Using bots to enter breached user log-in credentials obtained from a data leaks or sold by a variety of shady Dark Web operators (OAT-008 ─ Credential Stuffing) as well as trying to guess various combinations of usernames and passwords (OAT-007 ─ Credential Cracking), the airline’s APIs were systematically attacked by cybercriminals looking to cash out or redeem airline miles and discount coupons (OAT-012 ─ Cashing Out).
Apart from price scraping, GDS queries and ATO attacks, the airline’s in-flight retail section of its website was regularly besieged with bot traffic, both to scrape its valuable content including images, descriptions, and prices, as well as to make purchases with stolen payment card data using the previously mentioned credential stuffing and cracking techniques.
FIGURE 3: Reduction in bad bot traffic after implementing Radware Bot Manager.
The benefits of a bot mitigation solution for the airline and travel sector
As the travel industry gears up to resume regular operations to serve large numbers of travelers eager to fly to various destinations, bot masters, cybercriminals, and competitors will also be ramping up their attacks on airlines and other travel industry firms. The only way to detect and block the latest bots that can imitate human behavior on a website or mobile application is to adopt a dedicated bot management solution. After implementing Radware Bot Manager, our customer was able to reduce its GDS costs, prevent ATO attacks on its customers, stop ticket scalping and denial of inventory attacks, and obtain clean website and mobile app analytics to optimize its routes, flight schedules and overall marketing strategy. To learn more about how Radware can help your organization, reach out to us at email@example.com.