Vaccine Rollout Spurs 372% Rise Bad Bots; Spear-Phishing Up 26%

March 05, 2021 - The vaccine rollout has spurred an increase in nefarious activities tied to the response. Imperva found a whopping 372 percent surge in bad bot traffic against healthcare sites, while Barracuda detected a 26 percent rise in spear-phishing attacks tied to the COVID-19 vaccine.

The reports are upheld by Check Point data, which revealed a significant rise in domains using the word “vaccine” in the title amid the global vaccine rollout. Researchers documented 7,056 new vaccine-related domains in the last four months, with 294 deemed potentially dangerous.

Overall, the researchers saw a 300 percent increase in the number of domain registrations, with a 29 percent spike in websites deemed potentially dangerous.

Combined with earlier reports on the rise in social engineering using COVID-19 vaccine lures and the increase in attacks on web applications tied to healthcare, as well as the continued targeting by ransomware threat actors -- the healthcare sector should be on heightened alert.

Check Point found campaigns that impersonate the Centers for Disease Control and Prevention, which asked users to input their Microsoft credentials. Though the main domain was created last year, it’s believed that the campaign reemerged in January 2021.

READ MORE: Netwalker Ransomware Site, Emotet Botnet Taken Down in Global Effort

Vaccine-related spear-phishing has also been amplified in two key methods: brand impersonation and business email compromise, according to Barracuda. Hackers are using the momentum generated by the vaccine news coverage as lures in mass phishing campaigns.

The brand impersonation campaigns impersonate well-known entities and include a link to a phishing website advertising early access to vaccines. Other models impersonate healthcare professionals requesting personal information to check for vaccine eligibility. Another scam offers a vaccine appointment in exchange for a payment.

The business email compromise attempts typically impersonate employees asking for an urgent favor while the employee is getting a vaccine. Researchers also observed the BEC attacks impersonating human resource specialists notifying employees of vaccine availability.

Hackers use the successful phishing attempts as a foothold onto the network, then conduct reconnaissance activity before launching targeted attacks.

“More often than not, they use these legitimate accounts to send mass phishing and spam campaigns to as many individuals as possible before their activity is detected and they are locked out of an account,” researchers explained.

READ MORE: 50% Phishing Emails Seek Credential Theft, as Malware Delivery Declines

“That’s why when looking at these lateral phishing attacks overtime, there are these huge spikes of activity. Interestingly, vaccine-related lateral phishing attacks spike around the same time as major COVID-19 vaccines are announced and approved around the world,” they added.

The Rise and Risk of Bad Bot Traffic

Bad bots interact with applications in similar ways to legitimate users, which allows attackers to better evade detection.  The bots enable high-speed abuse, misuse, and attacks on websites, apps, and even APIs.

Successful exploits can allow bot operators to perform a host of malicious activities, including brute-force attacks, data harvesting and mining, fraud, spam, and web scraping.

Imperva saw the greatest increase in bad bot traffic during February of this year at 48.8 percent., which is largely attributed to the vaccine rollout in the US.

“The growing trend of bad bot traffic on healthcare websites comes at a time when countries are beginning to expand vaccination operations, and making appointments available to more of the population,” explained Edward Roberts, senior director of product marketing at Imperva.

READ MORE: 70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point

“As they do it, more people are traversing the internet and trying to find information about where and when they can get their essential vaccination,” he added. “While there are even some helpful services created that determine vaccine availability by using automation, this behavior is still not a human, and would be classified as a bot. And remember: checking for inventory is a very common use case for bots in many parts of the global economy.”

Imperva researchers warn that as the vaccine rollout continues over the next few months, these bots may make it increasingly difficult for individuals to access appointment sites.

Though not all bots have malicious intent, the automated traffic brought on by those seeking appointment availability -- combined with bad bot traffic -- can potentially congest network bandwidth and make it harder for legitimate users to make an appointment.

The increased traffic may also result in domain crashes brought on by excessive inventory checking. This may also cause application denial-of-service for all users. Larger retail pharmacies may be able to withstand the bandwidth while smaller entities and local government sites may see issues due to a lack of resources to maintain these sites.

Lastly, bad bots may reserve legitimate appointments in bulk, leaving legitimate users without access.

“Imagine the horror of seeing vaccine appointments available for sale on global marketplaces to the highest bidder. This use case is not unfathomable, if you consider what has plagued the ticketing industry for years,” Roberts warned. “Bots scoop up a large volume of available seats and resell them illegally at a considerable markup.”

“With citizens anxiously awaiting updates on when they can get their COVID-19 vaccination, tensions and frustrations are at an all time high. The growing presence of bots could complicate the process of disseminating these shots in an orderly manner,” he added.

Healthcare entities should review free resources from MITRE and the Center for Internet Security to bolster defenses. A number of federal agencies and researchers have also provided training, phishing, and even tactical response guidance, which providers should review to ensure best practice defenses have been properly implemented across the enterprise.