How Bots Are Disrupting Airline Ticket Sales

eWEEK DATA POINTS: Questionable online travel agencies, travel aggregators, competitors and criminals are using malicious bots to conduct a variety of attacks on airline websites that result in online fraud, website downtime and loss of potential revenue.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Airline.bot

Who knew so much bad-bot activity was going on in the airline ticketing business?

In recent months, airlines have faced an uptick in nefarious activity by bad actors, a sign that this industry is ripe with information that can be used for monetary gain or to wreak havoc. The high-profile breaches at Cathay Pacific and British Airways have illuminated the industry’s struggle to prevent and mitigate cyber attacks, but customer data is not the only incentive for bad actors to attack airlines. Sheer profit is, however.

Questionable online travel agencies, travel aggregators, competitors and criminals are using malicious bots to conduct a variety of attacks on airline websites that result in online fraud, website downtime and loss of potential revenue. Unauthorized scraping damages look-to-book ratios and can result in increased fees.

Seat spinning attacks, in which bot operators hold airline seats at no cost for a period of time in order to resell for a higher fee, skew flight popularity and allow for outsider monetary gain. Loyalty program account takeovers, in which bots perform brute force credential stuffing attacks, allow nefarious actors to steal customers’ loyalty reward points.

In the first industry-specific study of the persistent damage caused by bad bot activity on airline websites, mobile apps and APIs, Distil Networks analyzed 7.4 billion requests from 180 domains (100 airlines) internationally during a 30-day period. This eWEEK Data Points article presents the top seven findings from the report

Data Point No. 1: The airline industry is one of the most impacted by bad bots.

The average amount of bad bot traffic across all industries is 21.8 percent, and 94 of the 180 airline domains observed in this study exceed this average proportion of bad bot traffic. On 51 of the domains, bots accounted for more than 50 percent of all traffic—80 percent of these were from medium and large traffic sites. The domain identified as suffering from the highest proportion of bot traffic was a European airline—94.6 percent of its traffic was bots, while humans accounted for only 5.4 percent of its traffic.

Data Point No. 2: The bot arms race is rapidly advancing.

Some bots are easier than others to detect and block, depending on how sophisticated they are. In looking at simple, moderate and sophisticated bots, Distil found that nearly a third (31.4 percent) of bots on airlines were classified as sophisticated, while only 15.7 percent were simple. The remaining (52.9 percent) were classified as moderate. 

The sophistication level of bots on airlines is significantly higher than previously seen in Distil’s 2018 Bad Bot Report – Distil observed an rise in sophisticated bots from 19.7 percent in to 31.4 percent in less than six months. This increase is a sign of the ongoing arms race between bot operators and bot detection technology. Once bots are detected and blocked, the challenge to the bot operator is to create another bot to achieve the same goal. Because the financial viability of unauthorized OTAs and aggregators is based upon bots scraping airline data, the cycle continues ad infinitum.

Data Point No. 3: Bad bot user agents: Mobile vs. desktop.

10.5 percent of bots on airlines identify as a user agent from a mobile device. The rest all claim a user agent associated with a desktop browser. While this proportion of mobile impersonators is currently small, it is consistently growing and this trend is expected to continue.

Data Point No. 4: Top self-reporting browsers.

Across all airlines, bad bots identified themselves as one of 270 unique user agents. However, almost half (48.9 percent) of all bad bots claim to be Chrome. This shows that bots are attempting to hide in plain sight by impersonating the most popular browser. Firefox at 15.5 percent and Safari at 13.9 percent are the distant second and third. Mobile browsers, Android and Safari Mobile occupy the fourth- and sixth-most- popular user agent for bots.

Data Point No. 5: Most bad bots on airline domains originate in the U.S., Singapore and China.

The U.S. is the leading origin of bad bots on airlines, responsible for 25.6 percent of this traffic. Singapore is in second place with 15.2 percent and China is third with 11.5 percent. Reflecting the global distribution of airlines, OTAs and aggregators, the number of countries hosting bot traffic is high and is spread out across every region of the world.

Data Point No. 6: Airline bot attacks are most likely to happen on Fridays.

The consistency of bad bot traffic on airlines is noticeable when examining the data by day of the week. Bots work around the clock, every day of the week. In general, they are consistent in volume every day except for Friday, when there is a peak of bad bot traffic at 18.2 percent. This is explained by some airlines offering discounts on fares on Friday’s and bots increasing activity to gather any new information.

Data Point No. 7: Most popular automated tools detected on airlines.

Of the bad bots identified as an automated tool, a generic automation framework (WebDriver) was the most popular, accounting for 46 percent of those detected. Different versions of Selenium also saw significant usage—Selenium “Firefox” with 18.4 percent and Selenium “Chrome” with 7.1 percent.

Mobile tools were also detected. Mobile debuggers accounted for 11.9 percent of automated tools, and mobile emulators were 1.2 percent, which further indicates the increasingly prevalent role that mobile bots play in attacks on airline websites.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...