
Why Bots are a Growing Problem for Airline Ticket Sales
- Yasmin Duggal, Cybersecurity Content Specialist, Netacea
4 minutes read
In the wake of the pandemic, airlines are fighting back against challenges from all directions this year. Many have banded together to protest government orders around banned routes, Covid testing and post-travel quarantine periods.
International holiday-going in 2021 has become an unappealing prospect for many, due to the added expense and inconvenience imposed by Covid restrictions.
As if conditions weren’t challenging enough for the aviation industry in 2021, there is another factor disrupting their ability to sell tickets: a huge uptick in bot traffic and business logic attacks.
Pricing scraping on airline websites
The airline industry is one of the most heavily targeted by bot operators. It’s common for automated traffic to account for over half of all activity on airline websites. In some cases, this can peak at over 90%. The bots that typically target airlines are also typically more advanced that those targeting other industries.
This is in part because pricing is so competitive in the airline industry, not just from airlines but also from third-party vendors and price aggregators. Airline tickets are also a valuable commodity, much like luxury goods or concert tickets. This drives up scraper bot activity, where bots continually send requests to airline websites to collect up-to-the-minute pricing and availability information.
Sometimes this is done to undercut a competitor, however scraping is not always malicious in intent and could be part of a commercial partnership with resellers. Whatever the intention of the scraper bot operator, this activity adds expensive overheads to infrastructure.
Operating costs are a key concern for airlines now more than ever. Although most airlines have scaled down their operations significantly and are only now beginning to resume pre-pandemic flight schedules (Heathrow Airport recently reopened its second runway and third terminal), profit margins are still extremely tight. Maximizing the look-to-book ratio and keeping excessive price scraper bot traffic to a minimum helps to reduce infrastructure spend.
As well as being expensive to serve, these bots create performance bottlenecks, making websites sluggish to respond to genuine customers. Slow pages lead to lower conversion rates and a weaker look-to-book ratio, meaning less tickets sold.
Spinner bots and denial of inventor
Another business logic attack commonly launched against airlines is denial of inventory using spinner bots. Spinning is the act of adding items to an online basket, thus removing it from being available to other customers. When this is done at high volume using bot automation, all the available stock appears to be depleted, disrupting sales and moving customers away to competitors. The spinner bot will then empty its basket without completing the purchase.
For example, on an airline’s or third-party online travel agent’s website, bad actors use bots to reserve seats on flights. The bot reserves the seats for up to 20 minutes, during which time genuine customers perceive there to be no availability left on the flight, and the perpetrator attempts to sell the seats on for a profit. And repeat.
This is done by bad actors for several reasons, including:
- Generating high and fast profit off the back of a fairly low risk opportunity
- Defeating the competition by sending customers to a rival website
- Disrupting availability by making an application unusable as part of an application-layer denial of service attack
Account takeover on airlines
Bots also used hijacked accounts to undertake scraper, spinner and other attack types, often controlling many stolen or mass-created accounts from one centralized point. An aggressive and sophisticated credential stuffing attack will bombard airline website login pages either with known (or stolen) credentials or attempt to crack a huge volume of credentials through brute force. Either method creates tremendous strain on the server and badly damages the look-to-book ratio, as well as skewing other analytics.
Once in control of user accounts, bot operators can seize air miles or loyalty points, which can be worth hundreds of dollars, for resale on forums and the dark web. The impact of losing saved payment details and PII to threat actors is both financially and reputationally damaging. In fact, 85% of travel businesses surveyed by Netacea in 2020 said a credential stuffing attack represented the greatest risk to their business.
Protecting airlines from bad bots
Bad bots are getting more sophisticated and have already homed in on beleaguered airlines as the pandemic begins to improve.
The best way to combat bot threats and distinguish them from genuine users is to analyze the intent of all your web traffic in real time. Netacea Bot Management, powered by Intent Analytics™, uses AI and machine learning to stay one step ahead of ever-changing bot attacks targeting the travel industry.
Find out how much bots could be costing your travel business with Netacea’s bot calculator.
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.
By registering, you confirm that you agree to Netacea's privacy policy.