Nations around the world are racing to acquire COVID-19 vaccines and assemble digital infrastructure and web applications to enable appointment booking. As they do this, Imperva Research Labs has monitored a staggering 372% increase in bad bot traffic on healthcare websites globally since September 2020.
In February 2021, bot traffic soared 48.8%, the largest increase over the past year, and reaching an unprecedented level over the 12-month average.
The growing trend of bad bot traffic on healthcare websites comes at a time when countries are beginning to expand vaccination operations, and making appointments available to more of the population. As they do it, more people are traversing the Internet and trying to find information about where and when they can get their essential vaccination.
In recent weeks, vaccine websites from Massachusetts to Minnesota have crashed, with an innumerable amount of that traffic potentially coming from bots. While there are even some helpful services created that determine vaccine availability by using automation, this behavior is still not a human, and would be classified as a bot. And remember: checking for inventory is a very common use case for bots in many parts of the global economy.
What’s the Motive?
In recent months, automated bots were to blame for the scarcity of new gaming systems for purchase, and even for limiting the availability of paper goods for purchase online. Ticketing for concerts or sporting events has long struggled with inventory checking and inventory hoarding bots. While these use cases are specific to certain industries, the same logic can be applied in a scenario where a limited quantity of vaccine appointments are made available on a website. According to Imperva research, gaming console bots scan web pages at a rate of more than once per second. Unlike humans who have other responsibilities, bots can keep up this activity all day, around the clock.
While it’s hard to determine the precise motive of these bad bots, there are a few scenarios that could play out in the coming months as vaccines become even more readily available.
- Bots make it harder for humans to access appointment sites: Not every bot has malicious intent. Some helpful bots — developed with good intent — will be deployed as a way to scan appointment booking sites to keep citizens apprised of availability. However, automated traffic congests the network’s bandwidth and will make it harder for legitimate users to access the system.
- Increased bot traffic takes down appointment sites: As human users and bots flood websites at elevated levels, many domains will crash because of the increased levels of traffic. In technical terms, excessive inventory checking leads to an application denial of service for all users. While large retail pharmacies have the infrastructure to sustain higher volumes of traffic, smaller institutions and local government sites do not have the resources to maintain uptime in these conditions. As already evidenced, that could result in appointment sites being temporarily down.
- Bots reserve appointments while human users wait online for their turn: The most nefarious of these scenarios are bots reserving legitimate appointments in bulk while human users are left waiting and wondering when they’ll have a turn to access the scheduling tool. Imagine the horror of seeing vaccine appointments available for sale on global marketplaces to the highest bidder. This use case is not unfathomable, if you consider what has plagued the ticketing industry for years. Bots scoop up a large volume of available seats and resell them illegally at a considerable markup.
With citizens anxiously awaiting updates on when they can get their COVID-19 vaccination, tensions and frustrations are at an all time high. The growing presence of bots could complicate the process of disseminating these shots in an orderly manner.
Additionally, as public and private institutions are working at breakneck speeds to address the unprecedented situation, it is inevitable that mistakes will be made. Oversights could easily become vulnerabilities for cybercriminals to exploit.
More troubling, advantageous criminals are monitoring all of this frenzy from the sidelines and will find ways to exploit the chaos. In fact, over the past several weeks, Imperva has seen an indication of human reconnaissance on vaccine appointment scheduling sites looking at the structure of pages and endpoints. This behavior is a strong indicator for future attacks.
Protect Websites and Critical Functions with Imperva Advanced Bot Protection
The bots trafficking healthcare sites are classified as sophisticated bad bots, making them particularly challenging to manage. Imperva offers a best-in-class Advanced Bot Protection solution, able to mitigate the most sophisticated automated threats, including all OWASP automated threats. It leverages superior technology to protect all potential access points, including websites, mobile applications and APIs. And it does so without affecting the experience of legitimate users.
Advanced Bot Protection is a part of Imperva’s Application Security platform. Start your Application Security Free Trial today to protect your website from bots and other automated threats.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.