Governments, Take Note: Bad Internet Bots Are on the Rise

New data from Imperva suggests government websites may be at higher risk of being targeted by “bad bots” as the pandemic continues, but experts say there’s plenty agencies can do to be prepared.

botnet_shutterstock_530465965
A new report from IT security company Imperva indicates that COVID-19 helped give birth to a historic amount of nonhuman activity on the Internet. The report is based on global customer data from the company, which serves about 6,000 organizations across the world.

“In 2020, bad bot traffic has maintained its upwards trend, amounting to 25.6 percent of all traffic, a new record,” the report said. “Combined with good bot traffic, 40.8 percent of Internet traffic this past year wasn’t human, as human traffic decreased by 5.7 percent to 59.2 percent of all traffic.”

Bad bots, as defined by the report, are “software applications that run automated tasks with malicious intent over the Internet.” These bots do a variety of things, from scraping public information to taking over accounts to identifying in-demand goods that can be bought up and resold at higher prices.

Although other industries, like telecommunications and sports, experience more bad bot traffic in general on their sites compared to the public sector, government sites in 2020 had the second highest percentage of traffic from “sophisticated” bots at 15.3 percent, according to the report. Unlike regular bots that follow automated scripts, sophisticated bots attempt to mimic humans with behaviors like pauses and nonpatterned mouse movements.

“They are purposely trying to evade detection and appear like a human on a machine,” said Edward Roberts, Imperva’s bot expert.

WHAT BOTS WANT FROM GOVERNMENT


Roberts said governments should be less concerned about the technology behind bad bots and more focused on the offerings of their websites. Ask a simple question: What would someone want to take from a government site? Roberts mentioned the examples of business registration and COVID-19 testing location lists, which contain information that can be repackaged and sold.

“Government sites have so much information like that that people are constantly scraping it to get the latest data,” he explained.

Roberts added that even if bots appear to be benign or just gathering helpful information for the public, they are there to "make money or commit fraud or do something that you haven’t authorized if you’re the owner of the website."

Imperva’s customer data showed a massive spike in bad bot activity on government sites during the second half of 2020. According to a chart in the report, the increase started in September and rose steadily from there, reaching a peak in November. Did the spike have something to do with the election? Imperva couldn’t make a definite conclusion, but the larger point is that motives behind bad bots vary.

Working in the election battleground state of Arizona, Lester Godsey, chief information security officer for Maricopa County, had a very watchful eye for potential online threats last year. He shared a story about suspicious activity during the election cycle that involved bots.

“We caught through intelligence sharing with one of the fusion centers in the U.S. that there was some odd behavior or traffic on a very common platform that was utilized primarily by government agencies for sharing of information with the public,” Godsey said. “We followed up on that and … found evidence that bots were auto-registering accounts on this platform — tens of thousands of registrations. What our fear was was that those bots were being leveraged to create these accounts so that they could start spreading misinformation and disinformation on that platform.”

One can’t help but think of state unemployment insurance systems when considering potential government targets for bad bots. During an interview with Government Technology last year, Anne Perreira-Eustaquio, director of the Hawaii Department of Labor and Industrial Relations, said her state’s UI system was plagued by bots.

“It would kick our claimants out of the system,” she said. “The front-end security would be compromised with these bots. We had to find a way to prevent the bots from coming in. That was a big deal for us upfront because the workload was already high. The hits to the mainframe was already high, and then we had all of these bots trying to hit the mainframe as well.”

Perreira-Eustaquio added that bots compromised the state’s call center as well. She heard from a contractor that some claimants were purchasing bots in order to “make many, many calls to the call center so they can get to the front of the line.”

Roberts said account takeovers by bots can happen to any sector, government included. He referred to this phenomenon as “the problem of credentials.”

“You have a login page, we can guarantee you have bots on it,” Roberts stated.

PROTECTION AGAINST BOTS


One important principle of cybersecurity, whether you’re a protector or a villain, is identifying vulnerabilities. Phil Bates, chief information security officer for Utah, advises governments to take advantage of Shodan, a free search engine that hackers often use to find vulnerable targets. Many times, criminals won’t send bots until after they scan and determine weak points in systems. Shodan allows one to search URLs, geographic areas, Internet of Things devices and more.

“It’s a good way to get some outside visibility of what people are seeing on our network … Without something like this, you don’t really have a good idea if you have holes in the fence,” Bates said.

Godsey said it’s important for governments to remember that it’s not just information that can attract bots. Sometimes an organization itself becomes a target because of the attention it draws. As an example, Godsey pointed out that he knew Maricopa County elections would be a target because of the significance attached to Arizona as a key election state. Social media monitoring can be great way to gauge how others view an organization.

“That definitely is something to take into consideration when you’re trying to calculate risk … Social media is just something that needs to be part of every organization’s DNA, government in particular,” he said.

Roberts said a good defense against bots amounts to how well one understands the use cases for bots. One should also realize that bots are everywhere and that they cause issues in a very different way than a single data breach.

“You’re scared for that one moment [like a big breach], but bots are happening now,” Roberts warned.

Bates said it’s better not to rely on one technology or one system of protection. When one uses layers of protection, it makes life more complicated for threats like bots. Finally, Bates emphasized the importance of observing basic cyber hygiene, whether it be multifactor authentication, which is particularly important for single sign-on systems, or addressing known limitations in software.

“If you would just update or patch, these things wouldn’t become a problem for you,” Bates stated.
Jed Pressgrove has been a writer and editor for about 15 years. He received a bachelor’s degree in journalism and a master’s degree in sociology from Mississippi State University.