The new ways cybercriminals are attacking travel companies

Cyber breaches seem to make headlines every day, with Uber, InterContinental Hotels Group and Marriott International among the major travel brands to have recently fallen victim to attackers. Whether it’s a multinational corporation or a small startup, no travel company is immune to the threat of cybercriminals and fraudsters, experts say.

Travel and leisure is one of the most impacted industries globally, with digital fraud attempts rising 155.9% in the last year, according to a forthcoming report by Phocuswright. Cyberattacks in the travel sector mainly target credit cards, personal identifiable information, reward programs and publicly available internet, Phocuswright finds. Future vulnerabilities include artificial intelligence and the metaverse.

“The travel industry functions in an environment where numerous potential points of failure make the prevention and detection of cybersecurity breaches significantly more difficult relative to other industries,” says Robert Cole, senior research analyst, lodging and leisure travel at Phocuswright.

Eighty-eight percent of corporate boards regard cybersecurity as a business risk rather than solely a technical IT problem, the study shows. The challenge for business leaders is to manage the “internal corporate dissonance” that comes with marketing and operations teams wanting to simplify access to information that legal and financial teams prefer were never captured in the first place.

The study, titled “Cybersecurity in travel goes beyond technology” and due in October, points to numerous characteristics of the global travel industry that make it susceptible to hackers, including:

• Complex system architectures
• Legacy core technologies
• Multiple staff and customer touch points
• Staffing shortages and high employee turnover
• Large reward programs
• Extensive customer profiles
• Low technical sophistication
• Dispersed, localized operations
• 24/7/365 service
• Extensive discounts and reward schemes
• Digital and on-premises points of sale
• Multiple payment methods 

The Phocuswright report also draws the following conclusions:

Travel sellers enamored by social media influencers may be misled by claims of large followings and high engagement if sound vetting processes are not followed.

Hotels and airlines providing Wi-Fi services need to be aware of individuals capable of spoofing internet access points with network IDs that are similar to the real ones.

Hotels allowing room charges from dining outlets and recreational facilities often only require a name and room number for validation. If the guest’s name and room number are overheard at the front desk, or a lost key packet with the name/room number is found, erroneous services may be charged to the victim’s room and not be discovered until the day of departure.

Data destruction

Now that the pandemic has subsided, the tourism industry is a prime target for cyberattacks, says Darren Williams, CEO of BlackFog, one of a number of cybersecurity company leaders who spoke with PhocusWire.

“It’s obviously a trend that’s increasing, and as we exit the pandemic and more people are traveling, it seems like it’s really nice low-hanging fruit for cybercriminals,” Williams says.

Ransomware is one of the biggest threats, where the aim has traditionally been to get companies to pay to have their data unencrypted, Williams says. August saw the highest number of ransomware attacks so far this year, and September was shaping up to be just as high.

They’re saying, ‘We will come onto your machine, we will delete all your data and take it away, and we’re the only people with a real copy of your data now.'

Darren Williams - BlackFog

Share this quote

In recent weeks, cybercriminals have ventured beyond data encryption to new territories of data exfiltration (transfer) and destruction, according to Williams.

“They’re saying, ‘We will come onto your machine, we will delete all your data and take it away, and we’re the only people with a real copy of your data now.’”

Criminals look for the easiest targets they can find, so small hotel chains without adequate infrastructure are prime candidates as they are less likely to have invested in tools, processes and people to protect the organization. Even fewer will have anti-data-exfiltration technology, Williams says.

Since the goal of an attack is to steal data, investing in tools to prevent a data breach is crucial, especially in the tourism/hotel industry, “where discretion is a key part of the environment,” says Williams.

“It just keeps on getting bigger. Ransomware is getting worse because the tools are getting really, really effective,” he says. “Obviously there’s a lot of money to be made there. And the fact is, people … have been paying [these ransoms] regularly.”

Existential threat

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, says a common tactic is phishing, where attackers send a “social engineering e-mail” that tricks people into clicking on links and providing information such as passwords.

Multifactor authentication can help prevent breaches, but it’s not foolproof, according to Clements. The text message is the easiest to bypass. “The attackers … are going to look for ways to get around that.”

Generally, the newer and smaller an organization, the more well-secured they are, Clements says. They’re more likely to be using newer technologies, and it’s much easier to secure 20 computers than 10,000.

Plus, big companies “are likely to have bigger targets on their backs,” he says, because of the larger financial incentive.

It’s really going to be starting with the fundamentals of where’s my risk, where is my data and how do I make sure I’m protecting that?

Chris Clements - Cerberus Sentinel

Share this quote

While a cyberattack may be embarrassing and costly for a large company, it tends to be mostly an annoyance. However, a breach can present an “existential crisis” for a startup. “If you’re a smaller organization and you have you suffer a serious cyber security incident, that can be enough to wipe you out,” Clements says.

Supply chain attacks are also a serious risk. Business leaders can minimize supply chain risks by asking: “Who are my partners? Who are my vendors? Do they have access to my data? How do they have access to my data? Do I have controls to monitor what they’re accessing or limit what they’re accessing?”

Protecting a company from attacks takes cultural buy-in on cybersecurity and dedication of resources.

But Clements cautions against going out and buying the latest hot product: “It’s really going to be starting with the fundamentals of where’s my risk, where is my data and how do I make sure I’m protecting that?”

Clements recommends minimizing storing data: “Data is like uranium. Uranium is very powerful if you understand exactly how to use it, but extremely dangerous to just leave lying around.”

While he acknowledges the importance of cybersecurity training and awareness for employees, he warns that it’s unreasonable to expect employees to outsmart professional cybercriminals.

“If a single account being compromised can cause significant damage, sooner or later you’re going to have significant damage,” Clements says. 

The metaverse: a new playground

HUMAN co-founder and CEO Tamer Hassan says malicious bots comprise 77% of all digital attacks.

“Cybercriminals always follow the money, and they have become much more sophisticated in their approach to attacks, bypassing current security tools and using bots as an avenue to scam, steal and cause havoc.”

If an organization forces users to rotate passwords periodically, malicious actors may have a tougher time guessing users’ passwords, Hassan says.

The metaverse and AI are “new playgrounds” for fraudsters.

“The metaverse is an important and exciting new frontier featuring a new economy with a distinct currency. While the potential is limitless and exciting, any opportunity for incentivization or monetization is wrought with fraud, and the fraudsters are already getting ahead of the curve,” Hassan says.

Steven Puddephatt, solution architect at GlobalDots, says “the travel industry particularly is plagued with bots performing all kinds of activities from semi-harmless price scraping to the very malicious account takeover. Bot protection is also fairly widely adopted across the industry, but it’s not standard yet.”

A major threat comes in the form of B2B and B2C application programming interfaces (APIs), Puddephatt says.

“There has been a total explosion of APIs across all industries, but especially travel companies. This has left somewhat of a gaping hole in security terms as none of the existing technologies are specifically designed to protect API traffic, and if you’re serious about security you need a specific API protection tool to cover your bases,” he says.

But no company is 100% safe.

“If an attacker really wants to get inside your organization, then one way or another they’ll find a way in,” Puddephatt says.