For several months, the tourism sector has been facing a wave of attacks targeting travel agencies via their access to the GDS (Edifact) or NDC (New Distribution Capability) system.
But what attracts cybercriminals today is not the technology itself.
This is the digital identity of the agencies.
For attacks against GDSs, hackers target an agency's email by sending an email that appears legitimate, but is not; once the agent opens this email, the trap is closed on the agency.
According to NDC, the attacks observed often rely on a technique called typosquatting . Fraudsters create email domains very similar to those of legitimate agencies. By then using a valid IATA number, they can request access to the airlines' NDC portals.
Once they gain access, the fraudsters issue airline tickets using stolen credit cards. The tickets are valid, the passengers can fly, and the fraud is often only discovered when the first chargebacks appear.
A wave of targeted cyberattacks.
In this type of attack, there is sometimes no spectacular technical intrusion.
Cybercriminals simply exploit an insufficiently protected digital identity .
Summary
An often underestimated target
Another factor explains the vulnerability of many agencies: they are often considered to be structures too small to represent a real cybersecurity challenge.
This perception is widely shared by many IT service providers responsible for their IT management.
In many cases, an agency's IT protection is still limited to a few basic tools: a classic antivirus, a standard firewall and a poorly monitored email system.
The problem is that this approach is based on a misinterpretation of risk.
For a cybercriminal, a travel agency can represent an immediate financial opportunity.
With access to distribution systems, whether NDC platforms, GDSs, or B2B booking tools, an attacker can issue a large volume of fraudulent tickets or various other services (hotels, car rentals, etc.) in a very short time. The amounts can reach hundreds of thousands of euros before the agency detects the fraud.
In other words, even a small agency can become a very profitable target.
The evolution of protection technologies
Faced with these threats, cybersecurity has evolved profoundly in recent years.
Traditional tools, focused on detecting known viruses, are no longer sufficient to detect sophisticated attacks that exploit identities and access.
EDR and XDR technologies have become established.
An Endpoint Detection and Response ) system continuously monitors the behavior of workstations and servers. It detects suspicious activities such as the execution of malicious scripts, remote takeover attempts, or lateral movement within a network.
XDR platforms go further by correlating signals from multiple environments: workstations, email, cloud, and network. This comprehensive view makes it possible to detect attacks that would remain invisible to a single tool.
In an environment where several critical systems coexist; messaging, booking tools, distribution platforms, this correlation becomes essential.
Artificial intelligence to secure messaging services
Email remains one of the main attack vectors today.
Modern security solutions now use artificial intelligence to analyze communications dynamically.
These technologies are capable of identifying:
- anomalies in domain names
- identity theft attempts
- messages whose behavior differs from the sender's usual patterns
- targeted phishing campaigns
AI constantly analyzes a large number of signals: message structure, exchange history, communication context, and domain reputation.
When suspicious behavior is detected, the message can be automatically blocked or reported to the security teams.
typosquatting techniques used in some attacks targeting agencies.
Protecting digital identities
In a modern digital environment, cybersecurity now rests on a simple principle: never trust by default .
Each access to an application must be verified based on several elements:
- user identity
- device used
- connection location
- usual behavior
This model, often called zero trust , makes it possible to greatly reduce the risks of access hijacking to critical systems such as NDC platforms.
A question of risk management
The tourism sector today relies on high-value digital identities: IATA numbers, access to distribution platforms, booking accounts and payment tools.
These identities have become economic assets.
If they are compromised, the consequences can be swift and costly.
Cybersecurity is therefore no longer solely an IT issue. It is becoming an essential component of risk management for travel agencies.
And in a context where cybercriminals favour easy but profitable targets, the protection of digital identities becomes one of the major security challenges in the sector.
➡️ Read more about NDC in tourism
"My NDC is better than yours": The airlines' battle over NDC
NDC: What this changes in concrete terms for tourism professionals
Qantas and Navan: an NDC alliance that redefines business travel
