The travel and hospitality sectors are a major target for bot and credential abuse attacks, with attack patterns suggesting deliberate targeting by organised cybercriminals, according to research from Akamai.
The company’s Summer 2018 State of the Internet / Security: Web Attack report, which provides an analysis of the current cloud security and threat landscape using data gathered from across Akamai’s global infrastructure, showed that the travel and hospitality industries are the targets of a disproportionately large number of certain types of attack, relative to its customers in other industries.
One of the report’s findings is that five out of six attempted logins on hospitality-sector websites use fake or stolen credentials, with hotel and resort websites experiencing the most credential abuse connections of any of Akamai’s customers.
In addition to the unusually high volume overall, particularly between November 2017 to February 2018, several individual spikes in malicious login attempts were observed – the most visible taking place in the first half of November and around mid-January. After February however, Akamai observed a significant drop in malicious traffic, which it attributes to the closure of several routes.
Travel companies, however, were more likely to be targeted by bots – and one specific niche more than most. Over the six months prior to the report, Akamai reports that it captured 50 billion bot events targeting cruise line companies. Airlines and hotels experienced less than half this volume, but still a disproportionate number.
Strikingly, the researchers also observed that the source of these attacks was far more specific than for its customers as a whole. Attacks targeting the hotel and travel industries came primarily from China and the Russian Federation, though attacks coming from Indonesia also made up a larger proportion than when examining attacks on all industries. The report also notes that approximately half of the credential abuse traffic coming out of Russia, China and Indonesia is aimed at these sectors, with hotels, cruise lines, airlines and travel websites being the main targets.
The researchers offered a few explanations for these patterns. The first, and perhaps the most convincing, is that organised criminals were deliberately targeting the travel and hospitality sectors. Because these industries process a significant volume of fairly high-value transactions, and hold valuable payment and personal information on customers, it makes sense that they would be targeted. Akamai’s report also pointed out that point-based rewards systems may be tempting targets, as they have substantial monetary value and are difficult to track if compromised.
An alternative theory they proposed is that a small number of criminals, each generating hundreds of millions of malicious login attempts, is responsible as opposed to a large, organised group. However, they deemed this theory unlikely, and noted that their data did not show a distinct pattern which would support it.
The report also emphasised that the perceived source of malicious traffic does not necessarily represent the nationality or even the location of the actors involved – particularly when it comes to bot traffic. A large number of attacks seemingly originating from Russia, China and Indonesia – for example – may simply indicate a large number of compromised systems in these regions.
The report also provides a substantial amount of detail on attacks overall, with particular focus on DDoS attacks – including discussion of a new record set by the largest DDoS attack of the year, clocking in at 1.35 Tbps. The full report, along with an executive summary, press release, infographic and two blog posts, can be found here.
