The Impact of Bots on Airline and Travel Industries
Bad bot activities harm the travel industry in a multitude of ways
Airlines and travel industry operators, badly impacted during the Covid pandemic, are now full steam ahead catering to a growing demand for travel and tourism. Even before the pandemic, they were constantly being attacked by bots being used to carry out several harmful activities to the detriment of their businesses and customers. As travel and tourism operators in general—and airlines in particular—resume full-fledged operations, bot attacks on their websites and applications are again escalating.
Bots regularly scrape prices and schedules (OWASP Automated Threat OAT-011 ─ Scraping), from travel and tourism operators, and block seat inventory which denies legitimate travelers from buying tickets (OAT-021 ─ Denial of Inventory), and also make pricing queries without buying tickets, significantly increasing operators’ costs for GDS (Global Distribution System) queries. Unchecked bot traffic also skews visitor statistics (OAT-016 ─ Skewing) and makes it hard for these enterprises to get accurate figures that help their operational, planning, and marketing teams effectively plan for growth.
An overview of how bots impacted an APAC airline
One of our customers is an airline that serves the Asia-Pacific region with low cost domestic and international flights operating out of several hubs in the region. It is now one of the largest regional carriers based on the number of passengers flown. Along with its rapid expansion came an ever-growing number of bot attacks on its website, mobile application, and its APIs to scrape its ticket prices, make unwanted GDS price queries, and hijack seat inventory that left genuine travelers unable to buy tickets. Apart from these bot attacks, the growing volumes of bot traffic also skewed the airline’s web traffic analytics and hindered its marketing and operational teams from being able to plan campaigns and strategy based on actual visitor volumes.
FIGURE 1: Overview of bot attacks by type across key sections of the airline’s website
Look-to-book ratio: a key performance indicator for the travel industry
One of the primary performance indicators in the airline and travel industries is the “look-to-book ratio”, which for an airline would be the ratio of visitors to its website to the number of tickets actually sold. The look-to-book ratio has increased from a low of around 10:1 in years past and can often exceed 1000:1 today. This is because the overall growth in the number of travelers and increasing volumes of price searches made by consumers as well as bots used by industry competitors and price checking services. Many travelers today make multiple searches using several price-comparison websites and overall, many more searches occur today before a booking is made. Added to the consumer demand for lower fares is the fact that an airline’s competitors and price comparison sites can regularly deploy bots at frequent intervals to make ticket price inquiries, both to stay abreast of their competitors and to provide pricing data requested by genuine travelers.
Bot-initiated GDS queries significantly drive up costs
Another factor of concern to the industry is the growing volumes and costs of GDS queries. GDS networks provide information on ticket availability and pricing, as well as transactions between travel agencies and airlines, hotels, car rental firms and other travel services providers. With typical GDS queries costing an airline roughly US$ 0.20, it’s easy to see how bot-initiated queries that never result in a ticket purchase can quickly add up to several million dollars every year in unproductive expenses. The graph below shows the number of blocked bots that were attempting to make price queries on a travel website over a 20-day period in March 2021.
FIGURE 2: Bad bot hits blocked from making GDS queries (March 10-30, 2021)
Account Takeover (ATO) attacks on travel operators greatly hurt their brands
The most concerning bot attacks on the airline’s website were those attempting Account Takeovers (ATO). Using bots to enter breached user log-in credentials obtained from data leaks or sold by a variety of shady dark web operators (OAT-008 ─ Credential Stuffing) as well as trying to guess various combinations of usernames and passwords (OAT-007 ─ Credential Cracking), the airline’s APIs were systematically attacked by cybercriminals looking to cash out or redeem airline miles and discount coupons (OAT-012 ─ Cashing Out).
Apart from price scraping, GDS queries and ATO attacks, the airline’s in-flight retail section on its website was regularly hit with bot traffic, both to scrape its valuable content including images, descriptions, and prices, as well as to make purchases with stolen payment card data using the previously mentioned credential stuffing and cracking techniques.
FIGURE 3: Reduction in bad bot traffic after implementing Radware Bot Manager
The benefits of a bot mitigation solution for the airline and travel sector
As the travel industry serves growing numbers of travelers to various destinations, bot masters, cybercriminals, and competitors are also ramping up their attacks on airlines and other travel industry firms. The only way to detect and block sophisticated bots that can imitate human behavior on a website or mobile application is to adopt a dedicated bot management solution. After implementing Radware Bot Manager, our customer was able to reduce its GDS costs, prevent ATO attacks on its customers, stop ticket scalping and denial of inventory attacks, and obtain clean website and mobile app analytics to optimize its routes, flight schedules and overall marketing strategy. To learn more about how Radware can help your organization, reach out to us at botmanager_info@radware.com.
