Cequence publishes explosive new data regarding the security of tour operator and hotel industry websites. Cybercriminals are increasingly using the increased traffic during the vacation season as a cover for their attacks.
The Cequence CQ Prime Threat Research team tested the top 10 travel and hospitality websites using Cequence API Spyder. The SaaS-based detection tool offers companies an insight into their publicly accessible resources from the perspective of a potential attacker. This allows them to identify externally visible edge and cloud infrastructures, application stacks, API hosts and security vulnerabilities.
Cequence’s threat research and threat analyst team has observed a consistent pattern across industries: Increased website traffic during a peak season, such as the vacation and vacation season in the travel and hospitality industry, is accompanied by an increase in cyberattacks. The data provided by cloud security provider Vercara on the Domain Name System (DNS) and DDoS (Distributed Denial of Service) attacks confirms this finding, as both the increase in requests and attacks correlate with periods of increased online activity. An overview of the most important findings:
- Critical vulnerabilities are ubiquitous: all ten leading companies in the travel and hospitality industry had serious, publicly accessible vulnerabilities. Cequence’s experts identified 91% of the critical vulnerabilities at four companies, most of which would enable a MitM (man-in-the-middle) attack. In such an attack, attackers intercept and manipulate the communication between users and companies.
- Many servers were unintentionally publicly accessible: 80% of the companies surveyed had publicly accessible non-production or internal application servers. They are generally not monitored and not actively managed, so they could serve as a gateway for attackers. One of the companies had over 300 such servers.
- “Cloud sprawl” increases the attack surface: So-called cloud sprawl, i.e. confusing cloud environments, often results from company takeovers, information silos between departments or the lack of a defined cloud strategy. These circumstances can lead to a proliferation of publicly accessible cloud instances and increase the attack surface for cyber criminals. The leading travel and hospitality websites used between 5 and 21 different hosting providers, highlighting the complexity of cloud management.
- Vacation time is hacker time: the summer vacations are over and the winter travel season is about to begin. This marks the start of the high season for cyber criminals: this period also saw the most DNS requests and DDoS attacks of the entire year in 2023 – almost twice as many as usual.
As companies work to address these vulnerabilities, they must also prepare for the upcoming Payment Card Industry Data Security Standard (PCI DSS) version 4.0, which will become mandatory on March 31, 2025. Failure to comply with PCI DSS could result in significant fines, penalties and problems with card transactions. There may also be an increased risk of data breaches, which damages a company’s reputation and undermines customer trust. Companies must therefore prioritize strengthening their API security, take proactive measures to mitigate these risks and implement safeguards against both manual and automated AI attacks. Travelers should also remain vigilant and internalize strict cybersecurity practices to protect their personal and financial data.
“Travelers are particularly at risk during the peak holiday season, as cybercriminals mercilessly exploit them to strike,” warns William Glazier, Director of Threat Research at Cequence. “Our research shows that serious threats are occurring again this winter. Consumers are at risk of financial loss, identity theft and problems while traveling, while businesses face reputational damage and legal consequences. To mitigate the overall risk, tour operators and hospitality companies should increase their API security and drive initiatives to do so. I can only advise travelers to remain vigilant when booking their vacations and to be as restrictive as possible with their data.”
(pd/Cequence)