Bot Abuse Analysis and other Fraud Benchmarks - Travel & Hospitality Industry

Q1 2024

The travel and hospitality sector is facing a variety of cyber challenges, especially during peak seasons. To improve the experience for authentic travelers, online businesses may ease security protocols, believing that the substantial volume of real transactions will surpass any fraudulent ones. Malicious entities can manipulate this leniency by creating deceptive bookings or exploiting stolen payment information, resulting in financial setbacks for service providers and their consumers. Fraud should no longer be considered an acceptable cost of doing business.

This industry brief utilizes data from our comprehensive bot abuse analysis, focusing on the top attack vectors in travel and hospitality during Q1, Q2, and Q3 2023. It seeks to provide data-driven insights into attacks on the travel and hospitality sector, offering effective detection and prevention strategies. Insights are drawn from the Arkose Labs Global Intelligence Network, which includes major corporations and category leaders. These entities, prime targets for cyber threats, provide a unique perspective for monitoring and analyzing cyber activities.

Attack type by industry in H1 2023:

We analyzed billions of sessions worldwide across industries, between January 2023 and September 2023, and assessed three primary attack vectors fraudsters use to launch various cyberattacks. In sum, these methods generated billions of attacks in the first half of 2023 and into Q3, comprising 73% of website and app traffic measured. That means almost ¾ of web traffic to digital properties is malicious.

In the travel sector, criminals dedicate substantial time and resources to activities such as credential stuffing, phishing attacks, and other fraudulent endeavors. But when faced with robust site protection, bad actors can no longer achieve the economic gains they seek and ultimately move on. This principle underlies the core philosophy of Arkose Labs—making attacks too costly for adversaries to persist.

The Bad Side of Bots

Malicious bots play a key role in the strategy of attackers, executing precise and impactful attacks tailored for the travel and hospitality sector. Notably, a staggering 76% of web traffic in the travel and hospitality sector is attributed to bad bots.

The percentage of traffic by industry that comes from bad bots:

Between Q1 2023 and Q2 2023, intelligent bot traffic experienced a nearly fourfold increase. This growth surpassed basic bots and played a pivotal role in the overall surge of approximately 167% in bot attacks during the same period.

While the prevalence of automated threats is a significant concern, there has also been a marked 26% uptick in human-based attacks during Q3. When malicious bots fail to make it past security defenses, threat actors turn to human fraud farms to complete their mission.

Beating these adversaries demands technology that dynamically targets human solvers and applies adaptive, time-consuming challenges. With this capability in place, travel and hospitality businesses can defeat the economics behind attacks that exploit human labor at scale.

Concerning Trends and Crimes in Travel Sector

From inventory hoarding to credential stuffing to web scraping, the travel sector is facing some concerning trends. Some companies engage in inventory hoarding by placing holds on competitors’ seats or reservations. They then release them slowly as demand increases, manipulating pricing and potentially undercutting the competition with cheaper rates from the onset.

Credential stuffing poses another significant threat to the travel and hospitality sector, particularly in the abuse of loyalty programs. Cybercriminals like targeting loyalty point accounts because they are typically not watched closely. Even though these accounts can have a lot of value, they are often protected with simple passwords that go unchanged. Once in control of the points, criminals can convert them into untraceable items like gift cards or sell them for money on the dark web, posing minimal risk for fraudsters.

Stolen personal information can be exploited for identity theft and other serious crimes, including money laundering. Cybercriminals exploit accounts through credential stuffing and convert loyalty points and rewards into cash or cryptocurrency. This conversion often occurs through the illicit sale of fraudulently obtained rewards on the dark web or through other underground channels, providing a means to launder money discreetly. Funds gained through loyalty abuse may be channeled to finance other serious crimes, from drug trafficking to terrorism.

In Q3 alone, a staggering 72% of all cyberattacks witnessed were attributed to malicious web scraping. This rise is closely tied to the increasing demand for data to fine-tune AI models and, in some instances, to undercut competing businesses. The proliferation of AI-powered services utilizing bots for large-scale scraping has become a prominent driver behind this surge.

Two Cyber Threats Driving Bot Attacks in Travel

Two technology trends, influenced by powerful economic forces, are driving the surge in bot and human fraud farm attacks:

1. Generative AI (GenAI):

GenAI technology poses a multifaceted threat to the travel and hospitality sector, enabling attacks through various means. GenAI helps bad actors craft convincing phishing emails, targeting customers with deceptive communications from travel businesses. These emails, meticulously personalized using publicly available information, convincingly mimic the communication style and branding of the legitimate business. As unsuspecting consumers interact with these emails, they may inadvertently disclose sensitive information, including login credentials and personal details.

GenAI-generated phishing emails may offer exclusive travel deals, personalized vacation packages, or enticing loyalty program rewards. The deceptive nature of these communications makes it challenging for recipients to discern the fraudulent intent. Within these emails, there may be links leading to counterfeit login pages or malicious attachments aimed at compromising user systems.

2. Cybercrime-as-a-Service (CaaS):

Bad actors are advancing their skills by embracing the CaaS model, deploying bots and unleashing attacks that cause trillions of dollars in damages. This shift lowers the barrier to entry and grants access to cybercrime for a broader range of actors, making it easier to launch attacks with limited technical skills.

The CaaS model directly impacts travel and hospitality by establishing an online bazaar where cybercriminals can easily procure ready-made bots, tools and expertise, like “customer service” and “training” modules. These marketplaces enhance the efficiency and reach of cyber threats, posing an immediate risk to the security of online transactions, consumer data, and overall operations.

The affordability and popularity of these marketplaces are pressing security teams to bolster their efforts against these rising threats. The widespread impact, economic incentives for cybercriminals, increased sophistication of attacks, and the potential monetization of stolen data contribute to the need for enhanced vigilance. As these marketplaces attract a broader range of threat actors and pose challenges in terms of reputation management and regulatory compliance, security teams must stay ahead of evolving attacks.

Industry Benchmarks

In the first half of 2023, nearly every industry experienced an increase in the number of attacks. Here are the top 5 sectors under attack, by volume:

The Growing Scourge of Attacks

Arkose Labs Can Help

Arkose Labs safeguards businesses by disrupting the financial incentives driving bot attacks. Our long-term bot mitigation and account security solutions focus on protecting critical user touch-points: account login and registration. By identifying hidden attack signals and undermining attackers' return on investment, we enhance security without compromising user experience.

Our unique platform, Arkose Bot Manager, analyzes user session data to assess context, behavior, and reputation, classifying traffic based on risk profiles. Suspicious traffic faces enforcement challenges, distinguishing between legitimate users and fraudsters to block automated activities and ensure a secure consumer experience.