A group of robots showing the growing trend of using bots by online travel agencies
Bots on the Beach: The Holidaymakers You Don’t See on Your Flight by Liel Strauch, Director of Cybersecurity Research at PerimeterX

Bots on the Beach: The Holidaymakers You Don’t See on Your Flight

There are any number of things that people may associate with a vacation. Whether it’s white sandy beaches or the stress of air travel, it’s unlikely that bots are among the first things you associate with your summer getaway. They do have their role to play however, behind the scenes.

Over the year, an army of bots descends on travel sites across the web, checking out prices of flights and hotels in a literally mindless quest to scrape intelligence. So where do the bots want to chill by the pool or take in the city sights?

Over the July 4, 2019 holiday weekend (2-6 of July), we saw an interesting trend: bots aligned with the human searches for airports such as Los Angeles and New York City airports. However, bots largely ignored airports like Denver and Las Vegas, which were vacation targets for human searches.

Numbering in the billions, bot armies are unleashed against each other by a competitor of online travel agencies and travel aggregation engines seeking to gain an advantage for their pricing algorithms. In less savory instances, the bots will hoard tickets and prevent real humans from making travel arrangements by making planes or hotel reservations that they never intend to pay for, leaving the highly perishable inventory stranded in online shopping carts. In worst-case scenarios, bots can drive up prices and cause planes to fly empty and hotels to run half-full. Understandably, therefore, bots acting maliciously or in unauthorized scenarios can wreak havoc on travel companies.

Not surprisingly, the volume of bot traffic spikes around the same time that human interest in travel sites spike. Bots are a proxy for human interest, filtered through the lens of travel-oriented companies seeking better intelligence for pricing and inventory decisions. The charts below show considerable overlaps between when bots and humans are searching the most.

bots-on-the-beach-the-holidaymakers-you-dont-see-on-your-flight fig_1

PerimeterX’s own data suggests the percentage of bot traffic to online travel sites has grown by 37% on average over the past year. Bot traffic regularly topped 10% of total traffic per month for an extended period between February and May in 2019. During that same period in 2018, bot traffic never hit that mark. This increase in the presence and volume of bots is driven by two factors: The first is the lower costs and lower barriers to entry of operating bots, and the second is the intensifying competition between large travel aggregators that run big price scraping operations online, powered by bots.

Strangely, bots do appear to make up a smaller percentage of traffic during warmer summer months and a higher percentage during the colder winter months. This may be since bots are checking for summer travel, during March and April, before the season actually begins.

During July 2019, overall traffic – humans, and bots – hit many of the most popular airports hard. These included the three New York metro airports (LaGuardia, John F. Kennedy and Newark), Las Vegas, the London airports (Heathrow, Gatwick, City of London), and the Bangkok airport. In some instances, bot traffic to some airport codes actually outstripped live human traffic. For example, Keflavík International Airport (KEF) in Iceland was hammered by bots, as was Palma de Mallorca Airport (PMI) in Spain. Berlin and Hamburg’s airports also saw more bot than human traffic. In fact, more bot traffic than human traffic can badly skew the pricing algorithms of online travel agencies (OTAs). We suspect the Iceland and Mallorca traffic was driven by bots checking on prices during a fare war. Fare wars can intensify bot traffic as travel aggregators, airlines and OTAs play a cat-and-mouse game with their algorithms, closely observing price and availability of seats on other outlets in order to fine-tune their offers and maximize revenues.

This kind of data is a perfect example of what most people in cybersecurity have come to realize – that any kind of consumer purchase we make can have an equivalent reaction by bots online, even when this isn’t readily apparent. A prescient reminder that our consumer habits are being mimicked and automated online at every turn, even when we are striving to escape the rat race! Consumers and organizations both need to be aware of this, and organizations need to make sure that bots don’t affect user experience, and therefore their bottom line.