Airlines seeing increased sophistication in bad bots: Report

Automated bots that hammer away at websites with credentials stuffing and other attacks are a challenge for any company.

But if an analysis of customer data from a security vendor is accurate, airlines are the second most common industry targeted by bad bots, with just under 44 per cent of their traffic coming from this vector. Gambling is number one target of bad bots, according to a report released Wednesday by Distil Networks of San Francisco, accounting for about 53 per cent of their traffic. The financial and healthcare sectors are almost tied with about 24 per cent of their traffic.

And, according to the numbers, the sophistication of bad bots seen by airlines is increasing.

Bots discovered by industry. Distil Networks graphic

What makes the problem worse for the airline sector is it also has to deal with so-called “good bots” from competitors, aggregators (like Kayak or Skyscanner) or online travel agencies, which may legally be allowed to scrape websites for flight information and fares.

“Bad bots,” of course, will try to break network defences to take over loyalty programs and steal points to buy goods elsewhere as steal credit card data. But “good bots” can also cause damage by sometimes holding seats to block real purchases, thus encouraging would-be buyers to go to other sites, and, in the case of aggregators, “seat spinning” to hold seats for resale.

In addition, bots from online travel agencies and competitors skew airline business important metrics

“In recent months, airlines have faced an uptick in nefarious activity by bad actors, a sign that this industry is ripe with information that can be used for monetary gain or to wreak havoc,” Mike Rogers, vice-president of Services at Distil Networks, said in a release.

The numbers come from an analysis of traffic of 180 websites of 100 airlines — at least one of which was Canadian-based — that used Distil’s software during a 30-day period over the summer.

On 51 of the domains, bots accounted for greater than half of all traffic. Eighty per cent of these domains of these were from medium and large traffic sites.

Across all industries, bad bots accounted for 21.8 per cent of network traffic. By comparison, 43.9 per cent of network traffic of airlines come from bad bots.

One attack on a European airline’s loyalty program during the 30-day study period was typical: Six volumetric credential stuffing attacks which lasted on average from 30 to 90 minutes, said the report. The largest attack saw about 50,000 login attempts and lasted three and a half hours. “Compared with similar attacks which are much larger in volume and duration, it is safe to assume that this bot operator was trying to avoid being too noisy for too long to evade detection,” the report adds.

The U.S. is the leading source of bad bots on airlines, responsible for 25.58 per cent of this traffic. Singapore is in second place with 15.21 per cent and China is third with 11.51 per cent. Bad bots from Canada account for 1.26 per cent of traffic.

Nearly a third of bots on airlines were classified as sophisticated. Only 15.7 per cent were described by analysts as simple bots. The remaining 52.9 per cent were described as moderately sophisticated.

The sophistication level of bots on airlines is significantly higher than in an earlier report. In that research, 19.7 per cent of bots on airlines were sophisticated compared with 31.4 per cent now. “This increasing sophistication is explained by the arms race at play between bot operators and bot detection technology. Once bots are detected and blocked, the challenge to the bot operator is to create another bot to achieve the same goal. Because the financial viability of unauthorized OTAs [online travel agencies] and aggregators is based upon bots scraping airline data, the cycle continues ad infinitum.”

Recommendations for blunting the use of bad bots — which can apply to any organization — include

–protecting exposed APIs and mobile apps;

–monitor traffic sources. High bounce rates or lower conversion rates from certain traffic sources can be signs of bot traffic;

–blocking outdated browsers, because many bots attempt to hide in plain sight by impersonating a browser. Almost half of all bots claim to be Google Chrome. Next is Firefox with 15.2 per cent;

–block traffic from hosting and proxy services commonly used by bots;

–monitor for failed login attempts, particularly noting anomalies or spikes. But note ‘low and slow’ attacks can be used to fly under the radar;

–investigate traffic spikes;

–pay close attention to publicly-reported data breaches, because newly stolen credentials will quickly be loaded into bad bots.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now