-Pricing availability strings.
-Lost competitive advantage
-Lost control of the customer
-Aggressive scraping can lead to severe performance issues.
– For example, so trip, search times, which has really negative effects on the customer experience and customer retention
– Potentially impacting SEO ratings.
– Real risk that all of these extra requests are causing issues with 3rd Party services,
– Increased costs and service availability.
Account takeover, which is typically done via credential stuffing.
This is often used to abuse loyalty programs, which can lead to the loss of real money balances, air miles, as well as after PII data.
Ticket spinning.This is where the tickets are held for a period of time to generally see if the bot writer or can sell them on a higher margin.This blocks real users from being able to purchase and can be used as a type of denial of service attack.
Impact Upon Shuttle & Ride Share Companies
Traffic Surge.Paid media traffic to websites as it ramps up in hours & days the prerequisite when you’re in that situation is having the server bandwith management in place to be able to process the traffic effectively and quickly.
Digital marketing is reactive to PR
journalists love talking about the travel industry right now in terms of key trends and advancements, which can bring in some amazing PR opportunities on high authority at newspaper websites, their sites like the guardian and the BBC for example.
When those surges come out where there’s high intent to buy and allow the website to transact and to sell at the upper limit without having any sort of restrictions in place, because it’s in those situations where you can really make an improvement in terms of overall cash flow.
Bot Specific Issues For Travel
we don’t see that there’s going to be a huge difference from what we were seeing in previous years, pre COVID,
Many of the bots diversify and start targeting other organizations e-commerce has been a popular choice for some of the groups.
You know, we, we don’t really see much in the way of suggestions of changing these sorts of tactics, techniques, processes, their TTPs that we’re expecting them to use.
So really we’re expecting the same threats in 2021 as in previous years, you know, that’s sort of the, the really sort of top three:
– price availability scraping
– denial of inventory
– your typical Account Takeover (ATO) attacks, things like:
– – credential stuffing, cracking and
– – phishing.
Expect in the Future
– Increase in volume
– Increase in Speed
– Increase in Sophistication
web scrapers are generally used to gather information off the internet.
They’re used across a wide variety of industries. It’s the same tools being used to hit e-commerce or gaming sites as it is the travel industry.
Price & Availability Scraping
price availability scraping
Travel industry, these sorts of information, this, our attack, our adversaries are after things like: price information, the cost of hotels, the cost of flights, uh, the cost of bookings, cost of holiday packages, all of that information, and also the availability they want to know who has what sorts of available.
This sort of scraping generally is going to be by aggregate sites, many of whom are partners that they’ve allowed and some significantly less so of the whole.
You also get rival companies potentially scraping, looking for sort of discrepancies opportunities for them to maybe undercut you, or maybe to see if you’re ultimately pricing things very, very low bit business intelligence information.
Scraping Mimics Human Behavior
price availability scraping
Uh, you see, there’s a quite significant number of requests going to this travel company over the course of, uh, over the course of about eight days there.
And on each day you can see a certain hiccups at certain times. So it looks like the sort of hiccups tend to be during the daytime.
So I was seeing hiccups during of the day, presumably when people are awakened, it drops off late at night.That’s the sort of thing you’d expect from humans.
But if you look at the orange line there, you see that the scraper is actually, mimicing that human behavior quite well.
These scrapers are the they’re often trying to mimic human behavior. That’s it comes back to that point on sophistication, these adversaries are going to try and hide their activity within your sort of standards, standard sorts of behavior.
Uh, they’re going to do what they can say, try and make it look as human as possible.
Increasingly we see more and more advanced bots, not just of the scraping variety, but of all varieties for scrapers as well, which traditionally have been a very simple sort of, we’re going to do say 10,000 requests every hour forever.
Now bots are starting to sort of Much more recently, bots are starting to be a bit more specific, possibly rotating IPS as well to try and to make it less clear that all that information is going back to the same place.
They’ll sometimes use behavioral analytics, they may move the mouse, or not make requests that are more inconsistent over that timeframe.
There’s all sorts of different tricks they can use to try and bypass this sort of simpler detection controls, which, uh, really kind of brings us onto the risks on the next slide then….
Rivals gather business intelligence
Used to inform other bots (spinner bots) or denial of inventory bots which leads to future attacks
By stopping them here at the scraping stage – breaks the chain now (it’s harder to break the denial of inventory bots)
You know, if you’re looking at, you know, how many people are looking at this at destination, how many people looking at this hotel, how many people are looking at this flight.. you might be guessing an inaccurate number of people viewing that information.
Negative Impact Upon User Experience and Website Performance and SEO
From an SEO perspective, Google is committed to ranking websites higher, the other better user experience and in the example of a user connecting to a website via a smartphone with a 3g or 4g connection, and the page loads slowly, creating a poor user experience say, if the load speed and stability of the page is impaired by bot activity, then that would impact negatively on vital scores, which is set to be Google’s latest blueprint for the ranking signals from June, 2021.
So certainly from an SEO perspective, this is going to be growing in importance.
Then obviously there’s the, the overall sort of user experience, which for the holiday travels, it’s quite quite a big decision they turn to to book travel, which website, which provider, which travel company you go with and any little sort of thing that could cause friction in terms of an instability of a web page load, you could lose that sale.
Denial Of Inventory Attacks
Denial of inventory attack.
And this is the sort of attack we see the performance by what we call a spinner bot, but essentially in a denial of inventory attack or a DOI, essentially what an adversary is doing, is they’re going to hold an item from stock (inventory) , but they’re not going to actually complete the purchase.
Now, this is seen again across multiple industries but most commonly done in the travel industry
Denial of inventory attack.
Start at the top cycle
It tries to pretend to be a customer and it creates a reservation once it gets through that, it starts setting it all up and it gets right to the point of payments at which it holds.
At this point, the reservation is going to be held for that customer where this case, generally 20 minutes, I believe.
And in that 20 minute period the adversary is going to look to try and resell that booking.
So they’ll go onto other sites, they’ll list this up at a site to be marked up price. So if the flight is say 50 pounds, they will go off to another site and maybe advertise it at 55 or 60 pounds.
They’ll have multiple bots going through this process of once, if they aren’t able to complete it, if they weren’t able to resell this in that period, the reservation will drop out of their basket.
So let’s say 20 minutes, they aren’t able to resell it. So the bot that has sort of failed in its intended purpose. Unfortunately not quite that simple, really the bot will act faster than any human can react to essentially restart the whole circle.
You go right back to the start of the reservation process and pick it up and try and get, alternatively attacker may have multiple bots running at once, often across multiple sites like booking loads of these reservations.
Those, those are different reservations trying to sell them all at the same time. So it’s quite intensive on the reservation system in many ways, but it also sort of locks out the humans from being able to make their bookings on that site potentially, they have to go to a third party site where the resale is being offered.
Eventually the attacker will presumably be able to sell it on the resale side of the box at price, at which point the bot will simply complete the reservation with the details provided by the actual customer.
This essentially creates a window through which they have to jump through to complete that booking.
Attackers are very financially motivated, they’re really driven by the profitability of these actions. Acquiring this inventory is really quite low risk, but it can be a very high yield opportunity. It’s great way to make fast cash, you know, even if it’s only 10 pounds, but if they’re selling 50 a hundred tickets, they’re probably going to be turning quite a significant profits.
Every single time they run through this iteration on every single trip, every single flight, any single sort of hotel book and make it really make quite a bit of profits at very, very low risk.
It can also be used to send customers from a competitor’s website to your own
Real world impact
So people protect your brand reputation could be damaged. People could get annoyed at you because you never have availability. You never have availability for the flights they want, you never, ever availability for the hotels.
If someone would looks up all your inventory without completing it and just keeps holding out of reservation area. It’s possible that your customers see there’s no availability for that site, for that location, for that trip, whatever it is… there’s no availability for them.
And so they’ll go to your competitor.
And of course your competitors will have availability. So your customers will see them as the only vendor with availability. And so they can then charge a premium for the fact that they’re the oly ones with availability. these sorts of things unfortunately do do happen.
It doesn’t cause so much direct damage to, to the organization’s websites, the web application or to an API or anything like that.
It does, however, introduce some sort of level of business risk. So it comes down to businesses protecting their bottom line by thinking about the overall image of the business, protecting their reputation.
Customer experience as well. If I find, there are companies they’ve never got flights available. You know, I’ve checked them three, four times the last three or four times I’ve flown, they’ve never available.
I won’t bother checking them. I’ll go to that competitor instead, you know, it’s very easy for, as a customer it’s afforded to those mindsets.
Absolutely. I think we all have those mindsets and it’s not exclusive to travel either. We’re quite flighty, beavers, terribly disloyal.
account takeover, your ATO attacks, these are very frequent All across all industries.
Everything from streaming services to health care to ecommerce to gaming sites.
If you have a login page, someone’s going to be attempting an account takeover on you.
That’s just scammers that hits every login page on internet
The first is Credential Stuffing
where an attacker has credential pairings often from a third party data breach.
So let’s say some streaming service has a data breach and username and password combinations are linked. So these attackers will load these up into a credential stuffing tool stick in the config specific for your website and fire it off at your website.
let’s say they take a hundred thousand from the streaming service, known user name and password combinations, and they’ll fire them against your login page, username password, and see which ones work.
And even if they only succeed, say a hundreds or a thousand times, they’ve managed to take over a large number of accounts.
In many ways the targeted organization is not really at fault. They’re sort of a victim as well.
So the customers reuse that username and password against sorts of best practice advice. Uh, they’ve used that username and password and across multiple services and a third party organization is the one who actually leaks that data.
So the victim organization in this attack, uh, it feels a bit bad to blame them in any way, though. It generally a public, they do tend to get blamed. you see these headlines all the time, you know, thousands of accounts on site “x” have been taken over by attackers.
The first is Credential Cracking
Credential cracking is similiar to Credential stuffing, but it’s where they only know say the username but not the password, So they’ll try and guess the password. Instead.
Other ways attackers try to get access to user accounts
Targets – What Attackers Do With Data
what they’re really after is a number of different things.
So you’ve got your typical air miles and loyalty points. Those are a pretty significant concern for many organizations,
but attackers use them often, they’ll user whatever the bonus is to make purchases on a third party site, that makes it really hard to repatriate those points back to the original loader
the attacker usually gets away scott free very very quickly.
They may also try to make purchases with saved payment details. Um, that’s what you have. Someone saved a credit card onto, onto your size.
They may also try to make purchases with saved payment details. Someone saved a credit card onto, onto your site. You know, the attacker takes over the account. They can use that saved those saved payment details to make purchases.
PII personally identifiable information
This one is very concerning, really more and more. We see these config files. They’re part of the credential stuffing tool when an account is successfully taken over the tool automatically dives into the account, basically rips out all of the personally identifiable information and exports that off to the attacker to be saved in a separate file elsewhere.
And it can be used in future attacks.
PII Breach Long Lasting Brand Reputation
And the negative impact that it has from a brand perspective was quite damning they get trolled online on social media sites, but then also within the trade.
the negative connotations in terms of something like that can go viral the wrong way in sense of negative PR, but then also within the trade, it’s also quite a long lasting.That type of thing could be massively damaging, you know, during the pandemic brand reputation it’s been proven to be more key than ever, particularly a household name that as account takeover reflects up them in the wrong ways from the consumer perspective.
There’s also secondary impact. Aren’t directly thought about what you think of account takeover, and that’s more around sort of fixing the issue.
Let’s say you get a a hundred thousand account takeover attempts is really low they’re often in the millions.
So as success rates would say, 1% may compromise say 1500 accounts
If it takes five minutes to repatriate each of those accounts to contact the account owners and get the customer service rep on the phone with the customer whose phoned in to ask, Hey, what the hell is going on with my account?
You get all of these that customer service rep who each spends five minutes trying to repatriate the account. It’s not a huge amount of their time but multiplied by 1500 accounts that starts to add up significantly.
And it is happening on a regular basis. You know, you’re, you’re employing a load of staff basically just to put out the fires being started by these types of attacks.
To give you an idea, if this was scale of these attacks, if you look at the next slide, um, what you can see here is too large, first credential stuffing coming from a single source.
So we have our lights blue, uh, on here, which is our other traffic and our dark, uh, which is the credential stuffing. you can see as over the period of about 17 minutes in two separate 17 minute bursts, there was a huge uptake in the amounts of traffic.
This was caused exclusively by the credential stuffing. The attacker trying and thousands and thousands of thousands of username and password combinations.
Um, I’d give you an idea of what about w what happens with they actually compromise an account. We look at the next slide.
So this shows the amounts of activity coming from a single single source, single connection.
So it tries to get into the account. It’s trying to crack the password up until that lovely orange dots at the top of the first uptake that, uh, where it says user account breached.
So the account got correctly cracked at that point. So they attacker got in.
10 minutes later, you can see there were a number of calls to the transaction request page.
So within 10 minutes of compromising this account as part of a much broader attack, the attacker was in that trying to make purchases with the saved payment details.
They, these guys, you know, they don’t wait around. Even if you use measures like sending an email saying, Hey, “you’ve looked in from a strange location, please click here to confirm this was you.”
I don’t check my email personally. I don’t check my email regularly enough to be able to respond to that sort of thing within 10 minutes.
Uh, certainly not less than 10 minutes, which is what I need to, if this were my account.
So if my account got breached it, I got an email I’d of had to respond within five, six, seven minutes, and also getting at sort of look the attacker out of my accounts before they start making purchases with my saved payment details.
So, you know, these attacks are really Rapid. These attackers aren’t hanging around to use the information later, they’re jumping straight in there as soon as they comprise the account, they’re extracting the personally identifiable information and they are basically trying to make purchases really, really quickly immediately after compromising the accounts. They try to extract as much value from the accounts as they can.
Damage Account Takeovers Cause
Google Page de-indexing
Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII considerably.
Ticket spinning.This is where the tickets are held for a period of time to generally see if the bot writes or can sell them on a higher margin.
Denial Of Service Attacks. Lipsem orem text
Denial Of Inventory Attacks. Lipsem orem text
Tactics, Techniques and Procedures (TTPs).
Account Takeovers (ATOs).