High conversion and website security are NOT contradictory terms

Today, the Travel, Ticketing, and Aviation industries and their customers are increasingly the targets of cyberattacks as hackers seek to monetize highly valuable customer payment data and other travel information. Not only are cyberattacks on the rise, but the hacks are now more lucrative than ever for cybercriminals. This is due to the fact that stealing physical credit card data is much harder today than ever before.

These industries are highly competitive, particularly because users are more concerned about finding the lowest price than sticking with a particular brand. This makes user experience and maintaining a feature-rich website critical success factors. Websites in these industries rely on an ever-expanding ecosystem of 3rd party suppliers to enhance and personalize user experience, increase engagement, track their customers’ journey and behaviors, monitor monetization and so on. The average website uses 40-60 3rd party tools, which means exposed environments: these 3rd party tools offer great benefits, but also provide attackers with an attractive gateway for malicious activity such as formjacking, Magecart, JS Skimming, and more. Unfortunately, this means that the more such tools are used, the more risks websites take upon themselves. Instead of hacking the websites, hackers often attack the 3rd party plugins and use their Javascript to hitchhike onto the website. Checking the security perimeter of any Travel, Ticketing or Aviation website is simply not enough. A website is affected by the security perimeter of all of the 3rd party tools it uses. Moreover, it has no control over what’s happening outside the 3rd party circle: there are 4th, 5th and 6th party circles that most website owners are not even aware of.

Formjacking is The New #1 Threat

Many of the websites in these industries tend to run with a lot of functionality built out in JavaScript. In industries where performance is crucial, such as Travel, Ticketing & Aviation, proprietary algorithms are placed on the client-side for the sake of performance. Combining these two factors –  i.e., exposed environments and proprietary algorithms – results in an inevitable catastrophe.

These websites are often used on mobile rather than via desktop. When the JavaScript code is delivered to a PC, or when the developer tools are open, it usually doesn’t contain the call to the malicious code. But when it is delivered to a mobile device, the request to the malicious code is right there. There’s a reason for that –  hackers want to avoid detection, and PCs have better ways of detecting malicious code.

There are many different types of attacks aimed at Travel, Ticketing & Aviation websites:

  • Payment card skimming
  • Keylogging
  • Form field manipulation
  • Web injection
  • Phishing
  • Content defacement
  • Clickjacking
  • Malware and ransomware distribution
  • Watering hole attacks

Formjacking and Magecart attacks can be very wide-ranged and affect millions of people at once, or they can be highly targeted and affect a very specific group of people. This is also one of the reasons why they are so difficult to detect.

The major implications of such attacks include:


People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why laws and regulations are very clear – when you are entrusted with personal data you must look after it. Every website in the Travel, Ticketing & Aviation landscape is required to meet certain standards in order to be considered “in compliance,” and fines can be levied against a business or its owner if they fail to comply. 

Financial solvency:

If breached, a business has a whole host of other problems that will impact its bottom line. This usually involves hiring additional personnel to investigate the breach, stop it, and prevent it from happening in the future. It may have to pay for a forensic investigation, data recovery services, credit monitoring for impacted parties, and more.

Customer trust:

Companies invest a lot of resources in expanding their customer base, and even more in retaining and upselling to existing customers. This is because they know that these customers can easily leave: a data breach is an easy way to convince customers to go elsewhere, where their credit card information, address, or other sensitive data will be secure. Surveys reveal that 64% of consumers confess to be unlikely to do business again with a company from which their personal data was stolen.

Customers put a lot of trust in the online businesses they book their travel with, providing them with personal data and sensitive payment information with every transaction. Earning customers’ trust is critical for maintaining a long-lasting relationship, and once lost, earning it back is a very difficult task. 

Damage to brand reputation:

To protect the brand and ensure a safe browsing experience, companies must establish and maintain a strong website security posture. Reputation is a fragile thing – it takes years to build, and moments to destroy. When a breach occurs, the target audience feels betrayed and angry. The initial cost can be seen in the form of lawsuits, but there is a far greater cost that can last years. Furthermore, this can negatively affect the business reputation of each person on the executive team and hinder their future endeavors. Stocks drop, the team is affected, and revenues plummet. Unlike a fine, which can be paid and forgotten, reputation cannot be fixed so easily.


Source Defense  helps Travel, Ticketing & Aviation websites balance superb customer experience and high conversion alongside critical security, without compromising website performance or stability. We use real-time JavaScript sandboxing technology to create virtual pages that isolate the 3rd party scripts from the website. The virtual pages are an exact replica of the original pages, excluding what the 3rd parties are not supposed to see. We monitor all 3rd party script activities on the virtual pages. If the activity is within the premise of what they are allowed to do, we will transfer it from the virtual page to the original one. If not, we will keep their activity on the virtual pages isolated from the user and send a report to the website owner, alerting them of the 3rd party scripts that had violated their security policy. This is real-time prevention eliminates the 3rd party’s ability to interact directly and maliciously with the page.