Growing Cyberattacks in Travel, Hospitality Drive New Business Opportunities for Service Providers

By Joe Murray

Joe Murray

Three years after the COVID-19 pandemic decimated the global travel and hospitality industry, travel is back — in a big way. Despite high inflation worldwide the outlook is rosy: the World Travel & Tourism Council estimates the travel-related GDP to grow on average by 5.8% annually between 2022 and 2032, even outpacing the growth of the overall economy.

While this is positive news for companies that provide travel and hospitality services, the increase in web traffic also means higher potential for security threats, including ransomware, phishing and bot attacks. Cyberattacks can be a severe blow to businesses and have the potential to disrupt operations and impact profitability. Bot attacks are particularly problematic because most companies aren’t nearly as educated about bots as they are on phishing, for example, and may be largely unaware about how bots operate. As a result, they may lack visibility of how this threat can negatively impact not only operations, but profitability, damaging customer relationships and the company’s brand in the process.

Taming the Chaotic Threat Landscape

Cyber criminals are growing bolder and more creative by the day. Most use extremely advanced technologies, including artificial intelligence (AI) and machine learning, to launch devastating attacks on unsuspecting businesses. Just as spear phishing and other cyberattack tactics have evolved, so has the sophistication of bots. Businesses that require their customers to log in to make a purchase, such as retailers or those in the travel or hospitality industries, are under continuous threat of fraudulent activities, including bots.

The enormity of the bot problem was recently exposed when Ticketmaster blamed bots for the chaos surrounding the pre-sale of tickets for Taylor Swift’s Eras tour. Michael Rapino, CEO of LiveNation Entertainment, testified to the Senate Judiciary Committee in January that, “…Ticketmaster received triple the amount of bot traffic that it had ever experienced, with bots both attempting to purchase tickets as well as breach the ticket sales servers for access codes.” It’s safe to say most people are waking up to how destructive bots can be.

Top 3 Bot Threats

MSSPs are already cybersecurity experts, with many running their own security operations centers (SOCs), which are necessary to monitor and mitigate security threats. However, channel companies must also acquire expertise in the top three types of bot threats that pose the biggest harm to organizations such as airlines, cruise lines, Online Travel Agents (OTAs), hotels, and resorts, among others:

Scraper bots collect fare and availability information by rival companies and aggregator websites which are used for price comparison. Aggregation services use scraper bots to discover and publicize the availability of products or services such as flights, hotel rooms or car rentals. Threat actors then advertise the scraped information at lower price points on a secondary website, motivated by the financial rewards of charging commissions, stealing personal data or generating advertising revenue. Our Threat Research team has observed travel sites with 90% of scraper bot traffic, which if uncontrolled can impact top line revenue, bottom line profits, the quality of the customer experience, and brand reputation. Scraper bots can also discourage website auxiliary sales such as car rental and insurance, as customers head elsewhere to source the cheapest deal.

Denial of inventory attacks use malicious hoarder bots to select and hold items from a …

… limited inventory or stock in a shopping cart until the inventory is depleted. The items are held so that customers are unable to buy the items themselves. By hoarding high-demand flights, for example, bots leave customers frustrated, reducing conversions and revenue for the business. Denial of inventory across travel websites involves making fake reservations for hotel rooms, restaurants, travel packages and flights, then holding these bookings until the ticket, room or booking sells out. The malicious actor then attempts to sell these items, with the transaction completed after the item is sold elsewhere for profit. Bots are fast becoming a problem as demand for bookings increases at an unprecedented rate.

Account-takeover bots are when bad actors use credential stuffing, credential cracking and phishing techniques to take over accounts across the travel industry. These accounts may include membership points, frequent flyer miles and loyalty programs that can be sold for a profit. Saved payment details and personally identifiable information (PII) also have value across the dark web and are regularly sold on marketplaces (such as the Genesis Market, which was recently seized by the FBI) to facilitate future attacks. Credential stuffing has become an increasingly popular technique for threat actors across the travel industry over the past few years. As loyalty points aren’t regularly checked by customers, there’s a huge window of opportunity for the cybercriminal before the customer is aware their points have been stolen. The impact of losing saved payment details and PII is both financially and reputationally damaging because it is the organization that is responsible for the loss of such information — which could trigger large fines due to noncompliance with GDPR and/or CCPA data privacy regulations.

As companies across the travel and hospitality industries try to balance making a profit with maintaining a competitive edge by keeping prices affordable for travellers, they may look to cutting corners by downsizing their IT budgets, which could leave them vulnerable to cyberattacks. Without the 24/7/365 support from experienced personnel in-house, service providers and MSSPs will encounter new opportunities to partner with travel and hospitality companies to “fill the gap,” protecting organizations, and their customers, from falling victim to nefarious cybersecurity and bot attacks.

Joe Murray is the senior vice president of partnerships at Netacea, where he’s responsible for customer acquisition, growth and retention. He has more than 25 years of experience in technology sales across managed services and SaaS companies including BT, then MDNX Group and Essensys. You may follow him on LinkedIn or @Netacea_AI on Twitter.