Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

4/15/2021
04:20 PM
50%
50%

Pandemic Pushes Bot Operators to Redirect Efforts

As demand for travel, lodging, and concerts plummeted in 2020, bot traffic moved to more popular activities, such as e-commerce, healthcare, and government sites.

Shifts in consumer activity due to the coronavirus pandemic altered the activity of automated software programs, also known as bots, in 2020, according to a new Imperva report.

Heathcare and gambling sites saw notable increases in bots — both those labeled "good" and "bad" by the web application security firm. Bots accounted for 35% of traffic to healthcare sites, up from 21% in 2019, and 34% of traffic to gambling sites, up from 19% in 2019. While bot traffic to healthcare sites climbed throughout the year — almost quadrupling by the end of 2020 — both e-commerce and government sites saw a significant increase only in the last quarter.

Related Content:

Bad Bots Build Presence Across the Web

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: The CISO Life Is Half as Good

The surge in bots to e-commerce sites coincided with the release of next-generation gaming consoles, while the influx of traffic to government sites may be related to the US elections, says Edward Roberts, director of strategy at Imperva.

"The model here is that bots will go wherever they can make money," he says. "And we expect them to jump to other industries, if there is high demand — and if it is something vital or life-threatening, then [how we respond] becomes even more important."

The report focuses on bad bots, which the company sees as a threat to its customers. 

Some of the automated activity would likely be considered malicious by most observers. Hustlers who use automation to hoard in-demand items and gouge consumers, and cybercriminals who use bots to attempt credential-based attacks, such as credential stuffing or password spraying, are both bad bots that most would also consider malicious.

Imperva calls such bots "the pandemic of the Internet."

"Bad bots interact with applications in the same way a legitimate user would, making them harder to detect and block," Imperva states in the report. "They enable high-speed abuse, misuse, and attacks on your websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities."

The report found that the actual pandemic affected bot operators in different ways. Changes wrought by stay-at-home orders offered new opportunities for those who wanted to use automation to collect data, while closing off other opportunities. Ticket scalpers, who usually descend on popular concerts to buy tickets, found themselves suffering diminished profits, for example.

"[T]he pandemic resulted in a reduction of traditional scalpers' sources of income," the report stated. "Concerts and sporting events were canceled or took place without live audiences."

Yet, at the same time, a variety of goods — from masks to gaming consoles — became the target of scalpers and hoarders. And with supply chain disruptions causing shortages, scalpers also found additional opportunities to hoard desired goods and bilk consumers.

The divide between good bots and bad bots is pretty fluid because much of the Internet relies on bots. Search firms crawl websites to create indexes and deliver results for specific queries. Other companies rely on scraping data from sites to offer consumer services. While businesses may want to block the leak of such information, most other Internet users would not consider these activities to be bad. In fact, a US appeals court upheld the legality of data analytics firm HiQ Labs scraping data from LinkedIn in a 2019 ruling.

However, from a business perspective, any activity that is not human is often considered bad. Anti-bot service provider Kasada clarified that "if you're serving up traffic to bots, you're spending money on infrastructure, systems, tools, and personnel that you shouldn’t have to."

However, Imperva's report warned — without evidence — that increased activity to healthcare sites could presage the hoarding of vaccine appointments. Noting the existence of sites such as TurboVax, which uses automated scanning to help people find open vaccine appointments, the company raised the question of whether scammers could use bots to reserve, and then resell, time slots for vaccine appointments. 

"These helpful bots were created with good intentions, but it’s not far-fetched to imagine others creating similar tools in order to sell the appointment to the highest bidder for the opportunity to jump the queue," the report states.

Asked about the statements, Roberts clarified that the company had actually dismissed the theory.

"People aren't hoarding vaccine appointments — we put that [question] to ourselves and that doesn't seem that they could resell those slots," he says. "I think it is more people creating these helpful bots to try and help people and help society get over this once in a lifetime pandemic."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32066
PUBLISHED: 2021-08-01
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the c...
CVE-2021-37759
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2021-37760
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
CVE-2020-26564
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
CVE-2020-26565
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.