As more consumers return to travel, cyber criminals are also upping their activity, taking aim at both travelers and travel companies.
According to a new report from Bitdefender, travel-themed phishing campaigns are landing in consumers’ inboxes in increasing numbers.
The company says the rate of travel-themed spam increased from 19% in March to 44% in April.
After a slight drop in May to 37%, the report says: “The rate of holiday phishing lures is likely to peak once again in June.”
With airfare and accommodation costs rising, the digital cons are hoping consumers searching for last-minute deals will unwittingly clicking on the fraudulent emails with subject lines referencing deals and giveaways, then be duped into giving up personal information or installing malware.
In many cases, threat actors use well-known brand names to gain access.
“Our antispam and antimalware filters also flagged a particular malicious campaign where the spammers impersonated popular international hotel chains and tour operators to deliver credential‐stealing trojans. Names of impersonated brands include Accor Hotels, Panorama Tours, Meritus Hotels and others,” says Bitdefender’s report.
On the other end, travel and hospitality companies are also facing attacks.
According to PerimeterX, malicious web-scraping bots “are not only pervasive but also increasingly sophisticated.”
The company says its system stopped three attacks on “two of the most well-known consumer online travel agencies” during April and May.
In the “Itemization Attack” April 24, bots used the site’s search engine to scrape itemized product and pricing information, using a different fingerprint for every request. The next day, a similar attack was made on another OTA, at very high volume, so the malicious requests made up the majority of traffic during a 24-hour period, and then the attack continued more than a week.
“This example demonstrates just how high malicious traffic can become during attack periods. Online travel and hospitality businesses must have the technology and infrastructure in place to balance the load and maintain website performance during traffic spikes,” says Itay Binder, cyber security research manager at PerimeterX.
In a third attack on 14 May, bots tried to scrap reviews and testimonials from the same OTA struck on 24 April. The traffic totaled more than one million requests to more than 180,000 different paths, with malicious requests reaching 92% of total traffic to reviews endpoints.
“Although it may seem odd that the bots did not attempt to scrape product or pricing data, we can identify two potential reasons for such an attack. One is that a competitor was stealing reviews to make their site look more legitimate. Two is that a cybercriminal was trying to trick people looking for the original travel site to visit a fake one instead. Not only does this type of attack take away your competitive edge, it can also damage your SEO rank because search engines penalize duplicate content,” Binder says.
Research from Imperva has also uncovered fraud concerns related to attacks using bots, with travel the top-targeted industry.
According to Imperva’s 2022 Bad Bot report, these malicious applications accounted for 27.7% of all global website traffic in 2021 – and even higher in travel at 31% of traffic to industry websites.
Account takeover (ATO), where bots are used to run a list of stolen credentials against a login page or perform mass guessing of passwords, increased 148% in 2021. Travel was the second-most-targeted industry for this type of attack after financial services.
“The implications of account takeover are extensive; successful attacks lock customers out of their account, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations and tarnished reputations,” says Imperva’s report.