Web scraping has increased 240% YoY, according to the 2022 Automated Fraud Benchmark Report. Although scraping bots hit virtually every site in existence, most companies consider them to be a mild annoyance that’s just the cost of doing business online. But web scraping is a problem that travel and hospitality companies can’t ignore.

Within the past month, the PerimeterX research team uncovered three noteworthy web scraping attacks on two of the most well-known consumer online travel agencies.

1. The Itemization Attack – April 24, 2022

In this attack, bots attempted to use the application’s search engine to scrape itemized product and pricing information. This bot used the search engine URL structure in order to reach as many listings as possible in a short period of time. The scraping bots entered different request parameters in the application search engine to reveal site content, reaching a different search results page each time. This allowed the fraudster to disguise the attack in legitimate traffic and make it quite difficult to detect.

What made this attack unique was the highly distributed nature of the price scrapers’ characteristics. Less sophisticated attacks might produce a similarly high volume of requests, but each one would have the same fingerprint. This makes the attack easier to detect and block. In this attack, however, every single request had a different fingerprint.

2. The Search Engine Attack – April 25, 2022

The below example was also aimed to scrape product and pricing information using the application’s search engine. As the chart shows, the number of malicious requests made up the majority of all the application traffic during a 24-hour period. While the number of malicious users was low, the volume of malicious requests was significantly higher. And this was only one portion of the attack; the full attack lasted more (Read more...)