HUMAN Blog

Web Scraping Bots Continue to Threaten the Travel and Hospitality Industry

Web scraping has increased 240% YoY, according to the 2022 Automated Fraud Benchmark Report. Although scraping bots hit virtually every site in existence, most companies consider them to be a mild annoyance that’s just the cost of doing business online. But web scraping is a problem that travel and hospitality companies can’t ignore.

The HUMAN Satori Threat Intelligence and Research Team has uncovered three noteworthy web scraping attacks on two of the most well-known consumer online travel agencies.

1. The Itemization Attack

In this attack, bots attempted to use the application’s search engine to scrape itemized product and pricing information. This bot used the search engine URL structure in order to reach as many listings as possible in a short period of time. The scraping bots entered different request parameters in the application search engine to reveal site content, reaching a different search results page each time. This allowed the fraudster to disguise the attack in legitimate traffic and make it quite difficult to detect.

What made this attack unique was the highly distributed nature of the price scrapers’ characteristics. Less sophisticated attacks might produce a similarly high volume of requests, but each one would have the same fingerprint. This makes the attack easier to detect and block. In this attack, however, every single request had a different fingerprint.
The Itemization Attack

2. The Search Engine Attack

The below example was also aimed to scrape product and pricing information using the application’s search engine. As the chart shows, the number of malicious requests made up the majority of all the application traffic during a 24-hour period. While the number of malicious users was low, the volume of malicious requests was significantly higher. And this was only one portion of the attack; the full attack lasted more than one week.

This example demonstrates just how high malicious traffic can become during attack periods. Online travel and hospitality businesses must have the technology and infrastructure in place to balance the load and maintain website performance during traffic spikes.

The Search Engine Attack

 
 

3. The Testimonials Attack

In this example, bots tried to scrape product reviews and testimonials from the travel agency site. The application was flooded with a large amount of traffic, totaling over 1 million requests to over 180,000 different paths. During the attack, malicious requests reached up to 92% of the total traffic to the reviews endpoints.

Although it may seem odd that the bots did not attempt to scrape product or pricing data, we can identify two potential reasons for such an attack. One is that a competitor was stealing reviews to make their site look more legitimate. Two is that a cybercriminal was trying to trick people looking for the original travel site to visit a fake one instead. Not only does this type of attack take away your competitive edge, it can also damage your SEO rank because search engines penalize duplicate content.

The Testimonials Attack

The above examples show that scraping bots are not only pervasive, but also increasingly sophisticated. These high-volume attacks were highly distributed, disguised within legitimate traffic. Thus, they required deep inspection and cutting-edge detection techniques to be caught. Fortunately, HUMAN Bot Defender was able to stop the attacks before damage was done. However, web scraping attacks can wreak havoc on online travel agencies if they are not stopped.

Impact of Web Scraping Bots

A report by Aberdeen Strategy and Research estimates that the annual business impact of web scraping on the travel sector is up to 18.3% of annual website revenue. Web scraping is just one example of how malicious bots can abuse your booking engine and is often the first step in further fraud schemes. Bad actors can use the information collected in scraping attacks to scalp products, copy pricing strategies and repost stolen content.

Here are some ways that web scraping attacks can impact your travel business:

  • You lose your competitive price advantage

    To compete in the travel industry, you need to have the best prices. When competitors unleash bots to scrape your pricing data, your deals are no longer unique and you lose your competitive edge.

  • Your look-to-book ratio falls

    Bots look, but they don’t book. This means your look-to-book ratio will be skewed. And that’s a problem, considering that look-to-book ratio is THE metric of the travel and hospitality industry.

  • Your global distribution system (GDS) cost increases

    A GDS system facilitates transactions between airlines, hotels, car rental companies and travel agencies. For online travel agencies, GDS costs rise if your look-to-book ratio decreases.

  • Your website performance is slowed

    Scraping bots tax your infrastructure, overwhelm your network and slow site performance. This increases your costs for bandwidth and compute cycles, demands more internal resources from IT and negatively impacts user experience.

In an industry marked by strategic price fluctuations — and a simultaneous competition and partnership between search and booking sites — scraping bots threaten the fundamental business strategy of travel and hospitality brands.

HUMAN Bot Defender stops web scraping with unparalleled accuracy. Leveraging machine learning and behavioral analysis, the solution protects your websites, mobile applications and APIs from scraping bots. This safeguards your competitive advantage, improves operational efficiency and preserves a positive customer experience.