Armies of malicious bots are targeting airline mobile apps and websites to drain customer award miles, or make illicit purchases.
August 2018 was a rough month for airlines. An army of bots swooped in on Air Canada causing chaos, confusion and stole customer data. This was only the latest in a spate of recent cyber-attacks compromising the data of airline customers; Delta Airlines and others have suffered data breaches in the past two years, potentially exposing millions of passengers’ personal data.
Also of note - the Air Canada attack focused on mobile, an increasing trend seen in bot attacks. Between August 22 - 24, the Canadian national airline suffered a vicious cyber attack as an army of malicious bots hammered the Air Canada mobile app with millions of fraudulent login attempts. Many of these login attempts were successful, and Air Canada suffered a data breach which may have affected more than 20,000 customers. From those accounts that were taken over, attackers harvested not only basic data like names, emails and phone numbers, but also potentially sensitive data like passport numbers, and NEXUS numbers for trusted travellers.
The scale of these attacks is often astounding. In a bot attack against one of our travel and hospitality customers, we witnessed attacks coming from thousands of different IP addresses across more than 30 countries, in a single day. In fact, so-called “low-and-slow” and widely-distributed attacks often allow bot networks to fly under the radar for months until the victims realize what is happening.
Unfortunately, these attacks are only the beginning of a spiral of ongoing attacks that will be both increasing in volume and sophistication. Here’s why:
Savvy malicious bot operators know very well that people tend to use the same email and password combinations across multiple sites. At the same time, the hackers know that most people have an account with more than one airline. The pool of information extracted will most likely be used to fuel additional Account Takeovers (ATO’s) across numerous airline and travel sites. This is why ATO has increased in intensity and airlines are seeing an average of 65% or more of login attempts as malicious attempts, based on what we see on our network.
The reason why airline sites are such a juicy target is that most airline sites now offer reward and loyalty programs. It is relatively trivial to drain points out of valid accounts and move them to another account, from which fraudsters will use the points to book travel, make purchases or reserve hotel rooms. Often, the airlines’ security and IT teams only become aware of the fraud after a customer has reported a loss of reward points or some other abuse of their account.
Additionally, the attacks increasingly focus on mobile applications or, more specifically, the exposed API endpoints that mobile applications provide to allow other online services to transact with them. This indicates increased sophistication and adaptation to meet user behaviors, which are increasingly mobile-dominated. These mobile endpoints require different types of security measures than traditional websites or mobile websites. Yet app security is often an afterthought, in part because security teams may assume that apps on semi-restricted platforms like iOS and Android, are by definition more secure.
This fails to take into account the sad reality which is that it’s not about the app themselves, but about the attack surface they expose. Attackers rarely seek to hack the apps or even to seek backdoors into the apps; why bother when they can often walk through the front door via the API and constantly hammer the apps to try to gain access through brute force attacks?
Additionally, because the pace of data breaches of all types has accelerated, there have never been more emails and password pairs to validate. Fraudsters will test out whether an email and password works, and then sell those that do work on the Deep Web for around $151 for 240K miles. The tally of breached accounts now numbers in the billions, creating the biggest pool of accounts to hack in history. Not surprising, the majority of traffic is hitting the login.
With such high volume and high frequency ongoing efforts to breach travel sites and clean out customer accounts, airlines should expect the pace and frequency of malicious bot attacks to accelerate. In tandem the damages from bot attacks will continue to take flight. For customers who suffer account breaches, this means a messy and frantic effort to clean up the damage. According to the June 2018 “Cost of a Data Breach” study by the Ponemon Institute, the average data breach cost businesses nearly $4 million. Larger breaches of 1 million records cost $40 million. This included time spent by security teams, direct costs such as reimbursement, and indirect costs, such as lost business.
For airlines that suffer bot attacks, they endure not only reputational risk when accounts are compromised but also threats to their infrastructure from massive attacks that can slow down transactions and app usage or browser speed for normal human users seeking to research and purchase tickets.
What’s more, the cost of mounting a serious botnet is falling rapidly as cloud computing costs continue to plummet and the number of IP-addressable devices that could carry out bot attacks continues to soar with the growth of the Internet-of-Things and all manner of connected devices. The upshot? Airlines should expect a constant and continuous stream of malicious bot traffic pummeling their apps and properties - and they need to come up with a rock solid pro-active strategy to stop these bots and radically reduce the risk of account takeovers, and other automated attacks. That will save them money. The Ponemon report found that companies deploying automated security technologies to monitor or stop breaches saved an average of $1.5 million per breach. That means proactive approaches to stop bots pay for themselves very quickly.