Cybercriminals capitalize on travel industry’s peak season

Cybercriminals are capitalizing on the travel and hospitality industry’s peak season, using increased traffic as cover for their attacks, according to Cequence Security.

Researchers investigated the top 10 travel and hospitality sites to identify externally visible edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities.

Threat researchers observed a consistent pattern across industries: increased website traffic during peak seasons, like the travel and hospitality industry’s vacation and holiday periods, coincides with a surge in cyberattacks. DNS and DDoS attack data provided by Vercara supports this finding, as increased queries and attacks correlate with periods of heightened online activity.

Key findings

Critical vulnerabilities remain wide open: All 10 top travel and hospitality companies had serious, public-facing vulnerabilities. Four companies had 91% of the severe vulnerabilities, most of which would allow a man-in-the-middle (MITM) attack, allowing attackers to intercept and manipulate communications between users and the companies.

Unintentionally public servers lurk in the shadows: 8 of the 10 companies had public-facing non-production or internal application servers that are typically unmonitored and unmanaged and could provide attackers with a way in. One company had over 300 such servers.

Cloud sprawl creates the perfect storm for attacks: Cloud sprawl is often driven by acquisitions, siloed departments, or a lack of a defined cloud strategy. This can lead to a proliferation of public-facing cloud instances, increasing the attack surface. The top travel and hospitality sites utilized between 5 and 21 different hosting providers, highlighting the complexity of managing cloud environments.

Holiday rush, attacker’s paradise: October begins the winter travel holiday season, and that’s also when the most DNS queries and DDoS attacks were last year. November 2023 showed the highest number of DDoS attacks against the travel industry for the entire year, almost double the second-highest month.

“Travelers are at risk during peak vacation times, with cybercriminals seizing the opportunity to strike,” said William Glazier, Director of Threat Research at Cequence Security. “Our research highlights severe threats, including financial loss, identity theft, and disrupted travel for consumers, and reputational damage and legal issues for businesses. Frequent attacks can undermine consumer trust in digital platforms. To mitigate these risks, organizations need to prioritize API security, while travelers should stay vigilant and practice cybersecurity.”

As companies work to address these vulnerabilities, they must also prepare for the upcoming PCI DSS Version 4.0, which will become mandatory starting March 31, 2025. Non-compliance with PCI DSS could result in significant fines, penalties and disruptions to card transactions, along with increased risk of data breaches that could damage a business’s reputation and erode customer trust.

Organizations need to prioritize strengthening their API security, adopt proactive measures to mitigate these risks and deploy protection against both manual and automated AI attacks. Travelers should also remain vigilant and employ strong cybersecurity practices to protect their personal and financial information.