Big uptick in bot traffic jeopardizes vaccine appointments
As COVID-19 vaccine supplies continue to grow, many of the initial logistical hurdles to getting them into arms have been ironed out. But many challenges are still there – and some new ones are also emerging.
A new report from cybersecurity firm Imperva notes that many websites used to schedule those precious vaccine appointment slots are being bombarded with bad bots – and that's making it that much harder for people to sign up for shots.
WHY IT MATTERS
Imperva Research Labs says it's seen a 372% increase in bad bot traffic on healthcare websites since this past September. And in recent weeks that traffic has only ramped up: In February, it was up 48.8%, the largest increase over the past year, according to the firm.
"In recent weeks, vaccine websites from Massachusetts to Minnesota have crashed, with an innumerable amount of that traffic potentially coming from bots," said Imperva's Edward Roberts in a blog post.
As bots proliferate, Roberts warned of three risks to efficient and effective vaccine scheduling and distribution: making it more difficult and slow-going to access scheduling sites, taking appointment portals offline in DDoS-type swarms – and even bots scooping up appointment slots while humans play by the rules.
"As human users and bots flood websites at elevated levels, many domains will crash because of the increased levels of traffic," Roberts writes. "While large retail pharmacies have the infrastructure to sustain higher volumes of traffic, smaller institutions and local government sites do not have the resources to maintain uptime in these conditions."
Beyond that level of disruption, however, he notes that the chance of seeing appointment slots locked up by bots and made available for sale to high bidders "is not unfathomable, if you consider what has plagued the ticketing industry for years."
THE LARGER TREND
Imperva notes that bad bots aren't the only online risk to vaccine distribution – pointing to other security vendors who have highlighted new activity around phishing campaigns and domain registrations.
We've shown how some Florida counties were using Eventbrite – a platform typically used for events such as concerts – to schedule vaccine appointments, for lack of better options.
We've heard from scheduling tech experts who say that in too many cases, "the technology is just being used wrong."
And we've seen how faulty systems have stymied vaccinations with blocked users, lost registrations, double-booked appointments and website crashes that have lasted for days.
ON THE RECORD
"With citizens anxiously awaiting updates on when they can get their COVID-19 vaccination, tensions and frustrations are at an all time high," said Roberts in the Imperva blog post. "The growing presence of bots could complicate the process of disseminating these shots in an orderly manner.
"More troubling, advantageous criminals are monitoring all of this frenzy from the sidelines and will find ways to exploit the chaos," he added. "In fact, over the past several weeks, Imperva has seen an indication of human reconnaissance on vaccine appointment scheduling sites looking at the structure of pages and endpoints. This behavior is a strong indicator for future attacks."