The Risk and Challenge of Bad Bot Traffic on Healthcare Sites, Apps

March 29, 2021 - Around the world, healthcare entities are steadily making progress on vaccinating individuals against COVID-19. Many of these providers are relying on technology for vaccine appointment scheduling and even vaccination passports, which has spurred a massive rise in bad bot traffic.

In early March, Imperva data revealed a 372 percent spike in bad bot traffic against healthcare sites in recent months, while Check Point saw a significant rise in domains leveraging the word “vaccine” in the title. The surge in nefarious activity has followed the global pandemic response.

It comes as no surprise that hackers have been leveraging attacks against each step of healthcare’s response to COVID-19.

Fleming Shi, CTO of Barracuda, previously spoke with HealthITSecurity.com and noted the sector has been heavily targeted by impersonation attacks and even documents infected with malicious components, including those tied to botnets.

“A lot of hospitals and medical centers from all over the world and country have been targeted with ransomware attacks in the last year. But if you look at why these attacks happen and the pervasiveness, the data shows that the effectiveness of the attacks has gone up,” said Shi.

READ MORE: Feds Warn of TrickBot Spear-Phishing Attacks Delivering Malware Payload

“These are driven by very sophisticated, hard to stop kind of botnets,” he added.

For example, some attacks are weaponizing reputable environments. Shi explained that botnets have a command and control center and other protocols that allow bad bots to thrive.

In October, Microsoft succeeded in disrupting the nefarious Trickbot for about a week but the hackers behind the threat were able to revive the trojan and bring the botnets back up.

These are used to attack apps, scrape data from legitimate sites, and even automatically execute to buy hot merchandise. Botnets have even taken it a step further and infiltrated the cloud environments of strong brands.

“There are enough computers in home networks, smart devices, Android systems, and other devices to execute attacks,” explained Shi. “These can launch through phishing attacks from the home network that are never on a block list. It’s based on the threat feed.”

READ MORE: Vaccine Rollout Spurs 372% Rise Bad Bots; Spear-Phishing Up 26%

“Those attacks easily get the victims,” he added. “[This year] the attackers are going to continue to target the computer environment and homes to start taking over more devices to make it much harder to deal with in the future.”

What is a Bad Bot or Botnet?

Imperva describes a bot as a software application that runs automated tasks over the internet. Bot use allows for simple tasks to be run at a much higher speed compared to human internet activity.

Legitimate bots are being leveraged in a host of different environments, such as web searches and even appointment scheduling.

“The use cases for bots in healthcare extend beyond nefarious purposes,” Edward Roberts, application security strategist at Imperva. “Health insurance providers have used bots for competitive intelligence by scraping their competitors’ policies online, and medical listing services often use scraping bots to keep their databases of doctors and specialists up-to-date.”

However, malicious bots are leveraged to automatically scan websites for software vulnerabilities and to execute simple attack patterns.

READ MORE: Brute-Force P2P Botnet Targeting SSH Servers of Medical Centers, Banks

"Managing bot traffic must be a critical consideration for the state and local county to ensure citizens can access the tools they need to book their appointment."

A botnet refers to malware able to infect end-user devices that are then enlisted by the hacker to communicate with a C&C center to perform automated activities under the attacker’s control -- much like Trickbot.

“Often, the botnet can grow itself, for example by using infected devices to send out spam emails, which can infect more machines,” Imperva researchers explained. “Botnet owners use them for large-scale malicious activity, commonly Distributed Denial of Service (DDoS) attacks.” 

“Botnets can also be used for any other malicious bot activity, such as spam bots or social bots (described below), albeit on a much larger scale,” they added.

Initially, bots were just simple scripts that hit websites to retrieve data or perform other nefarious activities but were easier to detect. Now, bots have become much more sophisticated by accepting cookies and parsing JavaScript to appear legitimate.

Hackers have continued to evolve the threat, using headless browsers like PhantomJS that are able to process complete website content. There are also bots able to mimic human activity.

What’s the Overall Risk to Healthcare?

Over the past year, Imperva Research Labs saw the percentage of legitimate human traffic on healthcare websites decreased. Simultaneously, the percentage of bad bot traffic on healthcare sites increased from 18.9% to 26.8%.

Since February alone, Imperva has seen a 48.8 percent increase in bad bot traffic on healthcare websites. To Roberts, the staggering rate of growth underscores the bot problem in the sector.

Most recently, a bot attack against a Canadian site used to book COVID-19 vaccines slowed down registrations for legitimate vaccine appointments. 

“It was an early indicator that a bot-driven disruption on a COVID-19 vaccine appointment site would happen eventually – especially as the vaccine became available to the general public,” said Roberts. 

“While there are many ‘helpful bots’ being deployed to assist people with identifying available appointments, it’s important to remember that when a site is polluted with bots, it slows web performance and makes it harder for legitimate users to access the information or services they need,” he added.

As such, Roberts stressed the importance of managing the issue in the coming months and into the foreseeable future.

The primary concern with the threat is account takeover attacks carried out by bots. It’s a problem seen in all sectors, Roberts explained. Any site leveraging a login page is continuously bombarded with credential stuffing or cracking attacks.

In fact, Imperva research showed that 34 percent of all login attempts originated from malicious bots last year. Successful exploits can lead to extensive damages, including data theft or the access of personally identifiable information.

What’s more, the elevated level of bad bot traffic monitored by Imperva in the last few weeks and recent months against healthcare websites is a major concern.

“Based on data from customer environments, we believe bot traffic is primarily involved in content scraping of COVID-19 vaccine availability information, and in some cases sharing that over social media as a way to be helpful,” Roberts said.

“According to our systems, we’re seeing as many as 12,000 bot requests per hour on certain sites,” he added. What’s important to remember is – even if a bot is being ‘helpful’ – that elevated traffic levels, a combination of human and bot traffic, creates downtime and disruption for real human users.”

Further, increased traffic levels can result in site downtime and even increased infrastructure costs due to an entity attempting to sustain uptime in the wake of a persistent and burdensome level of elevated traffic, he explained.

"When a site is polluted with bots, it slows web performance and makes it harder for legitimate users to access the information or services they need.”

Bots are also able to scrape content, takeover or even create accounts, fraud attempts, and denial of service or inventory. Combined with the risk and targeted against aimed at attaining health data, Edwards stressed that bots are increasing the potential for fraud.

Past exploits launched via credential stuffing attacks have even led to bots infiltrating accounts. The attacks can then lead to the exfiltration of prescription orders, which are subsequently filled to be later sold illegally.

Mitigation Strategies

Imperva previously shared needed mitigation strategies to at least block some bots and entities’ exposure to bad bot traffic. As vaccine rollouts and passports continue to be rolled out across the country, it will be imperative to maintain uptime -- although Roberts stressed it will be a critical challenge for smaller healthcare organizations and even local governments.

To start simply, administrators can place “robots.txt” within the website’s root to define the types of bots allowed to access the site. This is effective for managing crawl patterns of legitimate bots but won’t defend against malicious bots.

By adding CAPTCHA to sign-up, comment, or download forms, entities may also be able to prevent download or spam bots. Administrators can also set a JavaScript alert to act as a buzzer for whenever the tool sees a bot or similar element entering a website.

“For organizations managing appointment booking sites, it’s important to monitor and analyze traffic sources, investigate traffic spikes, and proactively block hosting providers and proxy servers known to be used by malicious actors,” explained Roberts. 

“Managing bot traffic must be a critical consideration for the state and local county to ensure citizens can access the tools they need to book their appointment,” he added.

Concernedly, advanced persistent bots made up the majority of bad bot traffic in the last year. Roberts explained that these are a combination of moderate and sophisticated bots able to mimic human behavior -- thus, harder to detect and stop.

To mitigate these relatively sophisticated threats, entities will need to employ defense tools that can keep pace with the evolving business risk. Roberts recommended that any healthcare entities employing a website or application should invest in advanced bot protection to protect the infrastructure, login pages, and even customers’ data.

Overall, healthcare network administrators should be monitoring and analyzing traffic sources, investigating traffic spikes, and proactively blocking hosting providers and proxy servers with known use by malicious actors.

“More specifically, bot protection needs to include device fingerprinting, to track bot activity across IP addresses, and machine learning, to help establish a baseline for normal behavior and automate detection and response -- easing the burden on security analysts,” Roberts concluded.