As the travel industry rebounds post-pandemic, it is increasingly targeted by automated threats, with the sector experiencing nearly 21% of all bot attack requests last year. That’s according to research from Imperva, a Thales company. In their 2024 Bad Bot Report, Imperva finds that bad bots accounted for 44.5% of the industry’s web traffic in 2023—a significant jump from 37.4% in 2022.
The summer travel season and major European sporting events are expected to drive increased consumer demand for flights, accommodation, and other travel-related services. As a result, Imperva warns that the industry could see a surge in bot activity. These bots target the industry through unauthorized scraping, seat spinning, account takeover, and fraud.
Bots are software applications that run automated tasks across the internet. Many of these tasks, from indexing websites for search engines to monitoring website performance, are legitimate, but a growing number are not.
Bad bots engage in various malicious activities, from denial-of-service attacks to transaction fraud. These automated threats can consume bandwidth, slow down servers, and disrupt business operations even when not directly stealing sensitive data or conducting fraudulent transactions.
The travel industry has long grappled with complex bot issues, as malicious actors can exploit the various ways in which business logic is utilized in travel applications. These are some of the most common ways travel-related applications are targeted daily:
Imperva categorizes malicious bot activity into three categories: simple, moderate, and advanced. Connecting from a single, ISP-assigned IP address, simple bad bots connect to sites or applications using automated scripts without self-reporting as a browser. Moderate bad bots use “headless browser” software that simulates browser technology, including the ability to execute JavaScript. Advanced bad bots mimic human user behavior, such as mouse movements and clicks, to spoof bot detection. They also use browser automation software or malware installed within real browsers to connect to sites.
Simple bad bots often perform basic web scraping activity, while advanced bad bots may be needed for more sophisticated fraud and account takeover attempts. The travel industry is particularly plagued by advanced bad bot activity, which accounted for 61% of bad bot activity last year. Advanced bad bot traffic poses a significant risk, as these bots can achieve their goals with fewer requests than simple bad bots and are much more persistent.
Sophisticated bot operators often employ techniques shared between moderate and advanced bad bots to evade detection. These evasive bots use complex tactics like cycling through random IPs, entering via anonymous proxies, defeating CAPTCHA challenges, and more to circumvent bot management solutions.
Bots accounted for nearly half of all traffic within the travel industry in 2023. That situation could worsen as consumer demand for travel grows and bot operators target loyalty rewards programs, carry out account takeover attacks, or commit fraud. To mitigate these threats, Imperva recommends several strategies for IT security teams.
First, organizations must identify risks through advanced traffic analysis and real-time bot detection. Understanding exposure, particularly around login functionalities, is crucial as these are prime targets for credential stuffing and brute force attacks. A comprehensive security strategy should encompass all digital touchpoints, including APIs and mobile applications.
Imperva suggests several quick wins, such as blocking outdated browser versions, restricting access from bulk IP data centers, and implementing detection strategies for signs of automation, like unusually fast interactions. Regular monitoring for traffic anomalies, such as high bounce rates or sudden spikes, can help identify bad bot activity. Additionally, analyzing suspicious traffic sources, like single IP addresses, can provide valuable insights.
As bot technology advances, especially with AI, distinguishing between good and bad traffic will become more challenging. Therefore, Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for the travel industry.
