In a recent presentation, I co-led with a major airline's Chief Information Security Officer (CISO), and we unveiled some startling online threats facing the airline industry. These threats ranged from network attacks to sophisticated application attacks and they were far from the usual suspects covered in typical articles.
THE HIDDEN COST OF GLOBAL DISTRIBUTION SYSTEMS (GDS)
Every time you search for a flight on an airline's website, the application fetches prices from Amadeus, a global distribution system (GDS). This system uses real-time inventory data, like the number of available seats, to present prices. However, each GDS query comes with a cost.
One day, the airline's CISO noticed a $300,000 spike in payments to Amadeus. An investigation revealed that a malicious bot was systematically running price requests on their website, causing the unexpected increase.
A SOPHISTICATED DENIAL OF INVENTORY ATTACK
The CISO received a frantic call from the marketing department: all seats on certain flights were booked by a single consumer. This wasn't a simple prank; it was a highly sophisticated attack. The attacker deployed a bot that booked seats on specific flights. Once a seat is booked, you have up to 15 minutes to complete the payment or the seat is released.
This attack required a bot capable of navigating the airline's website, searching for specific routes and dates, selecting flights, and choosing price options. The bot had to identify available seats from images with multiple seat statuses and run the attack from different IP addresses each time.
EVOLUTION OF DENIAL OF SERVICE ATTACKS
As a national airline, the company's website frequently suffers from Distributed Denial of Service (DDoS) attacks. This phenomenon began in 2022, coinciding with the rise of global hacktivism. Whether a State supports Ukraine in the war, or is involved in regional tensions, it becomes a target for large-scale DDoS attack campaigns.
The attackers' toolset has evolved. They now adopt application-layer DDoS techniques, including Web DDoS attacks (HTTPS floods) and DNS attacks. These attacks often go undetected by standard DDoS mitigation solutions and have proven highly effective in causing outages. According to our 2025 Global Threat Analysis Report, Web DDoS attacks increased by nearly 550% year-over-year in 2024. The intensity of these attacks grew exponentially in the first half of the year and remained high in the second half, reflecting a sustained and aggressive threat environment. Advanced Layer 7 (L7) DDoS attacks became prominent, leveraging vulnerabilities like the HTTP/2 Rapid Reset and Continuation Flood to target online applications with increasing sophistication. Notable incidents included a six-day attack on a financial institution in the Middle East, peaking at 14.7 million requests per second (RPS), and another attack on a major institution reaching 16 million RPS.
THREAT OF ACCOUNT TAKEOVER (ATO) IN LOYALTY PROGRAMS
Airline loyalty accounts are prime targets for cybercriminals looking to steal points and sell them for profit. While there are many ways to redeem stolen points, preventing their theft is a significant challenge.
Typical ATO techniques involve credential breaches (often through credential stuffing), social engineering tactics like phishing, and exploiting security vulnerabilities. The primary tool the airline uses to protect its customers' accounts is multi-factor authentication (MFA). However, only 30% of the airline's customers activate MFA on their loyalty accounts, leaving 70% exposed to ATO.
Attackers exploit MFA by activating it with their own email or phone number once they take over an account. This leaves the legitimate account holder in a difficult situation, as any attempt by the airline to validate their identity is sent to the criminal.
BEYOND THE SURFACE: A BROADER THREAT LANDSCAPE
The attacks described above are just a few examples of the broader threat landscape facing airlines. Other threats include price scraping, network and port scanning, web application and API vulnerability exploitation, business logic attacks, and low-and-slow DDoS attacks.