The travel industry, and airlines in particular, have a war on their hands as they try to advance in e-commerce. Bad actors who run bot armies across the world are exploiting airline websites and mobile channels for profit.

As a new report from Distil Networks reveals, the actions of bad bots can have a significant negative impact on an airline’s business. Bad bot activities include fares scraping, fraud, theft, and denial of inventory attacks—in which bad bots tie up available inventory with fake bookings.

Defining the threat level

Distil Networks has created an industry-standard classification of bots by threat level, which breaks these down into four distinct categories of threat.

• Simple – Connecting from a single, ISP-assigned IP address, this type connects to sites using automated scripts, not browsers, and doesn’t masquerade as being a browser.
• Moderate – More complex, this type uses “headless browser” software that simulates browser technology—including the ability to execute JavaScript.
• Sophisticated – These bad bots mimic human behavior and are the most evasive. They can produce mouse movements and clicks that fool even sophisticated detection methods. They use browser automation software, or malware installed within real browsers, to connect to sites.
• Advanced persistent bots (APBs) – These combine moderate and sophisticated technologies and methods to evade detection while maintaining persistency on targeted sites. They tend to cycle through random IP addresses, enter through anonymous proxies and peer-to-peer networks, and are able to change their user agents.

Of the bad bots that work by impersonating real visitors on browsers, 72.4% mask themselves as using Chrome and Firefox.

Airlines are prime targets

Among travel companies, airlines are most affected by bad bot attacks. Airlines rank second only to gambling sites as targets of bad bot actors among all industries—43.9% of airline website traffic is bad bot traffic. Airlines rank third among the targets of sophisticated bad bots, with 19.7% of traffic coming from this category of actors. Travel sites rank fourth, with 19.1% of their traffic coming from sophisticated bad bots.

(Click on the image to open a larger version in a new window)

Distil explains:

“Airline prices are scraped not only by direct competitors but also by third-party players in the expansive travel ecosystem. Unauthorized online travel agencies, competitors, price aggregators, and metasearch sites use sophisticated scraping bots to abuse the business logic of booking engines.

Querying for any ticket they can sell, they skew look-to-book ratios, increase GDS transaction costs, and are responsible for site slowdowns and downtime—causing customer dissatisfaction during disruptions. They dynamically package seat inventory with other products, stealing direct and ancillary revenue. And, they insert their own email addresses into reservations, thereby taking control of remarketing opportunities.”

Tnooz spoke with Anna Westelius, senior director of security research for Distil, who explained that this bad bot activity not only affects inventory and raises operating costs but also damages an airline’s reputation.

“It’s not just an oversold problem, in terms of assuming how many tickets are actually sold, the bot tickets are sold to consumers eventually. But those consumers don’t get the flight information updates from the airline.”

Customers may show up for flights that have been cancelled or delayed, and they will blame the airline for not giving them accurate updates, even if the airline doesn’t have a clear record of the passenger’s booking.

In other cases, seats could be booked and not sold on to humans. Historically, airlines have sold seats beyond the flight capacity in order to work around “no-show” passengers, but a high percentage of bot sales adds a layer of uncertainty. If these sales were converted to real ticket holders, then there may be too many people showing up for a flight and the airline will have to pay people not to board. If airlines don’t overbook, they may end up operating a flight with too few passengers onboard.

As more airlines follow the lead of the low-cost carriers in offering unbundled tickets with ancillary sales options, bots can also negatively impact ancillary revenue. They can also result in dissatisfied customers believing that options such as baggage were included in their ticket because they bought through an illegitimate OTA that did not make the airline baggage policy clear at the time of booking.

Frequent flyer account fraud is also carried out by bot actors. Distil reports that airlines suffer from mileage account takeover issues, with bad bot operators trying to access user accounts and drain their mileage balances.

Where bad bots reside

Most (45.2%) of bad bots reside in the US because of the greater availability of affordable data centers and because a US origin IP address helps make their attacks more effective.

Distil reports:

“The weaponization of data centers accelerated in 2017 with 82.7% of bad bot traffic emanating from data centers—a 37% increase over 2016.”

The bot operators are not necessarily located in the same countries as their bot armies—they may be anywhere around the world, but having an American IP address means they are less likely to be blocked.

• 7% of bad bots reside in data centers
• 5% of bots reside in China.
• France has recently risen to third place (9.9%) because of the cheap hosting available

Mobile bad bots

Bots are not exclusively a desktop problem. In fact bad bot herders operate both on desktop and mobile and will move to mobile ISPs when they find their data center traffic is blocked. This is despite the fact that moving to mobile is more expensive, but the rewards make the expense worthwhile.

Most (93%) bots operating in this space falsify smartphone request formats. A smaller percentage (1.2%) will use mobile emulators—which are used on PCs to test and emulate mobile apps.

Westelius tells us:

“If you’re an airline and you have a website maybe you can protect that well, but as long as you also have a mobile app the attacker is there. Then it becomes a much more complex problem and most of the airlines that we talk to have found that it’s much too difficult to tackle on your own and it requires a dedicated solution.”

The rules of engagement

Regrettably, there are no easy solutions to bad bot actions. The most effective defense is to make attacking your site and mobile apps more expensive than others and to contract expert help.

As Westelius says:

“It is a constant arms race. I don’t think that there will be one solution that will be able to solve all of these problems. With continued effort, not only in building better solutions but also helped by legislation and policy, I think we can get to the point where we can keep these attacks at bay. What we try to do with our individual customers is that the more friction that you introduce, the more cost it is for an attacker.  The more costly it is to them, they have to do a cost-benefit analysis.”

“We’re past the infancy of bots now. We’ve been doing this for quite some time and it’s really reached a time where I think we need more controls in a more widespread way.”