Sergey Nivens - Stock.Adobe.com

The Security Interviews: Why helpful bots could hurt vaccine roll-outs

Earlier this year, spikes in traffic to websites containing information about Covid-19 vaccines were attributed by Imperva to automated bots scraping data. Why is that a problem?

Web traffic generated by automated bots hit record highs in 2020, accounting for 40.8% of all internet traffic, up 6.2% on the previous year. That is according to the latest – eighth annual – edition of Imperva’s Bad bot report, which came out in April 2021.

Bad bots take multiple forms, but a variety known as advanced persistent bots (APBs) accounted for the majority of the troublemakers. These bots are primarily responsible for high-speed abuse, misuse and attacks on websites, mobile apps and application programming interfaces (APIs). They mimic human browsing patterns and can be difficult to spot and stop, making them a unique challenge for IT teams trying to keep their networks up and running.

But such bots are not just used to conduct distributed denial of service (DDoS) attacks. Many of them cause havoc in other ways, through price scraping, content scraping and inventory hoarding. Remember how difficult it can be to get hold of gaming consoles ahead of the Christmas holidays, or, in happier times, to score Glastonbury tickets? The problem can be partly attributed to bots.

Edward Roberts, director of strategy for application security at Imperva, has been tracking these bad bots for some time, and since last autumn he has picked up on a troubling trend – a massive increase (372% between September 2020 and February 2021) in potentially disruptive traffic to websites belonging to healthcare organisations and, more recently, the websites of public and private healthcare systems, pharmacies and retailers involved in the supply and administration of Covid-19 vaccines.

This is particularly dangerous because, if things get out of hand, bots could seriously damage the vaccine supply chain by polluting the network and making it harder for legitimate, human users – not being human, bots cannot contract Covid-19 and don’t need to be vaccinated – to access life-saving services.

‘Helpful’ bots

“We are still trying to triangulate what is actually happening,” Roberts tells Computer Weekly, “but one of our guesses is that these bots are going around and scraping the availability of vaccines, or the sites where you can go and get them, in order to repost it somewhere else.”

This theory is backed by data pulled from some of Imperva’s health sector customers, which are seeing elevated levels of scraper bot traffic to pages that contain information on whether or not you are eligible to be vaccinated, where you need to go to get the vaccine, and so on.

Roberts refers to these as “helpful” bots because they were not created with malicious intent, and he reckons it is a surge in activity from so-called helpful bots that is driving this traffic.

So what is the motivation behind the creation of helpful bots? Roberts explains that for regular citizens, who maybe are not the most tech or web-savvy, it can be useful to have access to a single website that simply aggregates the information they are looking for.

“But really, if you think about that website, it’s pulling information from other places,” he says. “That is helpful to the user, but for the company that is actually providing that information it’s a drain on their resources because they’re having to serve that information to bots.

“It’s kind of an interesting question. Is it being done for the greater good? That is why I call them helpful bots. But in reality, if you’re one of these organisations that are being scraped, you are actually expecting a human to be on your website, and this isn’t a human, this is actually a bot.”

Accidental DDoS

The risk inherent in this is that given their presence in sufficient volumes, helpful bots create an unintentional DDoS effect.

“The potential is certainly there to create a denial of service because if bots are scraping every five minutes or every two minutes in high volumes, you’re serving traffic and your infrastructure is being used, from a technical aspect, a lot,” says Roberts.

“We’ve seen that excessive scraping is certainly an indicator and downtime is certainly a proof point of the scraping behaviour that’s happened. You’ve got a finite amount of resources to serve and if they’re being used up by bots, humans can’t get to it.”

Roberts stresses that this is not necessarily malicious behaviour on the part of the bots’ creators, and there is no evidence of bots hoarding vaccination appointments like they might hoard concert tickets. “It sounds awful to hoard a vaccine appointment, and it’s not beyond the realms of possibility, but it does beg the question: where do you sell an appointment and what is the monetary value? It seems weird to me, and I’m not sure it makes sense,” he says.

Malicious traffic

That is not to say there are no scenarios in which malicious bot traffic could hamper the global roll-out of Covid vaccines, says Roberts, but the likely scenario here would be one where, for example, a vaccine was withdrawn from the market, or other issues in the supply chain caused scarcity, creating a honeypot for cyber criminals and scammers taking advantage of pent-up demand and desperation. That said, scarcity of vaccines is not the issue right now, so again it is hard to envisage this happening at this stage of the roll-out.

Nor, he adds, are malicious DDoS attacks designed purely to knock websites offline a particular concern.

“You hear a lot about ransom DDoS and attacks where they say ‘we’re going to bring your network down unless you pay us a certain fee’,” he says. “It’s a very different problem, because that’s more of a volumetric issue – we just want to take you off the internet, basically, and flood your pipes with traffic, which means nothing moves.

“That’s always a potential threat and you see that continuously around the world, but it’s more of a one-off thing, whereas the bot behaviour we see with the vaccines is happening every minute, every second.”

Be prepared

It’s not just healthcare organisations that need to be aware of this activity – any organisation can be affected by bots, so there are lessons in Imperva’s findings that are universal, says Roberts.

“Businesses that are in healthcare, or are providing vaccines or support for vaccinations, might not have considered the volume of traffic that might be headed their way, because they typically wouldn’t be seeing that level of traffic,” he says.

“The volume of traffic, collectively, is going to tax services, and what we’re hearing from our customers is that they want to prepare themselves for the growth of traffic, and prepare their infrastructure with enough capacity so that they can handle any surges, whether those be humans or bots. You’ve now got to serve a lot more traffic and have a lot more capacity in your infrastructure.”

Read more on IT risk management