DataVisor Threat Blog:

Bot attacks, and one airline’s battle to defeat them

LinkedIn
Twitter
Ting Fang Yen

Ting Fang Yen

Director of Research // Ting-Fang specializes in network and information security data analysis and fraud detection in the financial social and eCommerce industries. She holds a PhD in Electrical and Computer Engineering from Carnegie Mellon and has previously worked for E8, RSA, and Microsoft.

As malicious bot attacks become more sophisticated, the ticketing industry is feeling the pressure. One airline is fighting back.

Fraudsters are incentivized to act when they see easy opportunities to make money. Unfortunately, the ticketing industry has become one such target. Online tickets, rewards, loyalty points, and other forms of currency available on ticketing platforms attract fraudsters armed with sophisticated tools ready to harvest them for real-world gains.

One reason the ticketing industry is an attractive target for fraudsters is that accounts on those platforms tend to have weaker passwords and fewer validation checks at account signup as compared to financial or e-commerce services. This makes it easier to abuse fake accounts or compromise existing accounts for fraudulent activities.

In addition, prices on ticketing platforms change dynamically, often in response to demand and supply at a given time. A common attack—generally referred to as ticket scalping—is to purchase or reserve tickets in bulk as soon as they go on sale. This artificially drives up the ticket prices, such that the fraudster can resell them for profit. Conducted at scale using scripted bots, this is an extremely lucrative business.

Bad bots plague airlines

The ticketing industry’s vulnerability is especially troubling as bots continue to power massive-scale fraud. As recently highlighted in a Distil Research Lab report titled How Bots Affect Ticketing, “39.9 percent of ticketing traffic is comprised of bad bots.” In an article reporting on the Distil findings, author Steve Zurier, writing for Dark Reading, point out that this is “a notable increase from the 22.9% found in previous reports.” In the same article, Zurier quotes Edward Roberts, Director of Product Marketing at Distil Networks, who states that in another recent report, it was found that, “43.9% of all traffic on airline websites came from bad bots.”

In a recent attack that DataVisor discovered on a large airline website, 52.9% of ticket orders were fraudulent, with 81% of them conducted by bad bots. Despite a robust suite of firewalls and anti-bot defenses, thousands of fraudulent orders were still getting through.

Airline ticketing attack characteristics

In the attack we analyzed, scripted scalper bots used different passenger names, mailing addresses, contact information, payment information, devices, and IP addresses so that no single entity stood out or hit a rate-limiting threshold. These were sophisticated attacks. The fraudsters had detailed knowledge of the airline website’s defenses, and they were able to specifically craft their bots to evade detection.

Airline bot attacks - examples of disguised fraudulent tickets

Figure 1: Example of bogus ticket reservations made by scripted bots. The passenger names were randomly generated, though the contact phone numbers were from the same area code. None of the fraudulent orders in this example had a web referer, indicating that the bots were programmed to visit the airline booking webpage directly.

Even though the malicious bots obfuscated their activities to evade detection, there were still behavioral patterns that set them apart from normal users. For example, all of those fraudulent orders went through the same sequences of webpages to search and book flights. The time it took the bots to fill out the booking information varied, but that distribution was significantly different from those of legitimate users. As shown in the figure below, the fraudulent users consistently had very short session durations (often less than 100 seconds), whereas normal, manual orders were at least twice that duration, and could be as high as 5000 seconds.

Bot attacks - How airlines can use session duration to detect fraud

Figure 2: The distribution of web session duration from fraudulent orders (in red) compared to that of normal orders (in blue). The fraudulent orders are much shorter in duration.

Real-time detection, real-world results

The ticketing industry is not the only victim. As malicious bots are becoming more sophisticated, a variety of services and platforms are under attack for different reasons. A recent article describes how bots were used for credit card testing on Magento stores. This attack was likely perpetrated by hackers who had purchased stolen credit cards on underground “carding forums,” who were then testing their validity by exploiting a weakness in the Magento system design. While this is just one example of bots becoming a valuable tool for fraudsters, the overall rise in bot-powered attacks should be cause for concern across industries. Not only do bots introduce the potential for massive scale attacks, but their coordinated activities are much harder to detect and prevent. In another example, DataVisor reported on a massive account takeover attack that involved hundreds of thousands of login attempts from thousands of IP addresses from compromised machines all over the world.

In many cases, online services may not even realize they are under attack. In the example described above, the airline was not aware of the extent of the problem until they noticed that a majority of tickets on several flights were all simultaneously canceled at the last minute. This unusual behavior suggested fraudulent activity—in all likelihood, it was the result of fraudsters “releasing” the lingering bulk-reserved tickets they had not been able to resell on time.

The lesson here is that organizations must be extremely vigilant, and on the lookout for tell-tale fraud signs that are often well-hidden. Modern online fraud is massive in scale, and the rise of bot-powered attacks has increased the scope and complexity to such a degree that it can seem almost impossible to know you’re under attack until it’s too late. However, reactive strategies are not enough. The goal shouldn’t be to fix the damage. The goal should be to prevent it.