Across Europe, the EURO 2020 tournament captivated fans over the past month, with Italy ultimately defeating England to take home the cup on July 11. As fans eagerly watched the matches, Imperva Research Labs was busy monitoring activity that wasn’t happening on the playing field — but across a range of sporting and gambling sites across the United Kingdom and Europe.
Imperva Research Labs discovered a rise in bot traffic on global sporting sites by 96 percent year-over-year in the weeks preceding the start and throughout the tournament. This is a 26 percent increase over April 2021 alone! British and German sports gambling websites in particular were targeted. Imperva recorded upwards of 35K bad bot requests per hour on a certain gambling website around certain matches. On another betting website, Imperva researchers saw upwards of 52K bad requests per hour. All attempts were mitigated by Imperva’s Advanced Bot Protection.
Sports betting and gambling websites are lucrative targets for cybercriminals, given the amount of money that flows in and out of the online platforms on a regular basis. User accounts are a prime target as they have prize winnings or funds stored.
Automated threats are a cause for concern
As highlighted in the Imperva Bad Bot Report 2021, automated threats are a cause for concern — with 27.7 percent of traffic to online gambling sites coming from bad bots. Meanwhile, sports websites had 33.3 percent of their traffic comprised of bad bots. Taking a closer look at the correlation between bot attacks and the timing of attacks can provide valuable insights into what these bad actors are after, as well as how their tactics are evolving. Similar to product launches in the e-commerce industry, bot traffic on sports betting websites is time-sensitive. Investigating their targets reveals what exactly they were hoping to achieve.
Taking over accounts
Like many other business sectors, the biggest automated threat to the sports betting industry is account takeover (ATO). During the tournament, we identified significant bad bot activity on the login endpoint of a certain sports betting website. The attackers were using a “low and slow” type of attack, where the number of requests remains within the threshold, to mimic legitimate login traffic in an attempt to avoid triggering security rules.
The signature identity theft attack of the digital age, account takeover makes use of bad bots to gain illegal access into user accounts. This is achieved by performing brute force style attacks such as credential stuffing and credential cracking to target login pages. The goal? All potential forms of cash found within accounts, from stored credit card information to gift cards and loyalty points. Successful attacks lead to devastating results, from financial fraud to theft of Personally Identifiable Information (PII) and other sensitive information.
A more specific problem for sports betting websites is scraping, mainly odds scraping. On a certain sports betting website, we have recorded a more elaborate case, where bad bots targeted the APIs directly, with a peak that saw over 68K requests per hour. Specifically, they were targeting the very path that provides the odds for a given event. Why are odds sought after by bad bots? By gathering odds from multiple sports betting websites across the web, the operators of these bad bots are able to obtain valuable insights. These insights can then help them more accurately predict match results as well as assist them in making a decision of where they should be placing their bets, thus maximizing profits.
Another form of account fraud that’s common in the sports betting and gambling industry is promotion abuse. Say you’re offering a special promotion for the Euro 2020 tournament, where new, first time users get free credits to start with. Bad bots are then used to perform large-scale account creation in order to abuse that promotion and capitalize on those free credits.
The side effects of ill-managed bot traffic can be just as severe as those of direct ones. In some cases it may even outweigh them. Slowdowns, poor website performance and the risk of potential downtime are all by-products of the abnormal amount of requests to the web server by bad bots. In an industry where latency and website performance are mission critical, this can mean loss of immediate revenue, poor customer experience, brand damage, customer churn and more.
While the Euro 2020 tournament might have just come to a close, the 2020 Tokyo Olympic Games are on the horizon, and bad bots are showing no signs of slowing down anytime soon.
Protect your business from automated threats with Imperva
Imperva’s Advanced Bot Protection safeguards your most valuable assets from bad bots. It protects websites, mobile applications and APIs from all OWASP automated threats, including account takeover, web scraping and online fraud. Most importantly, it does so without affecting your legitimate users in the process, ensuring business continuity and peace of mind. Imperva is your ally in the war on bots. With Our Analyst Managed Services by your side, with years of experience in stopping bad bots, you are never alone in the fight against bots.
Advanced Bot Protection is a part of Imperva’s WAAP (Web Application and API Protection) platform. Start your Application Security Free Trial today to protect your assets from Grinch bots and other automated threats.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.