An online site used to book COVID-19 vaccines in the London area was attacked by bots, as thousands attempted to register for their vaccine appointments. According to the London Free Press, just before 10:15 a.m., the Middlesex-London Health Unit tweeted the booking system had experienced challenges. “We have addressed the issues and will continue to monitor the booking system closely,” the organization claimed.

Chris Mackie, medical officer of health for London and Middlesex County, said, "The site was attacked by bots this morning. Problem is now fixed. Appointments are still available for those over 75 years. If you have trouble, please be patient and try again.” 

Mackie also claimed the attack was with the same kind of tool used to target sites such as Ticketmaster in order to snatch up large blocks of tickets. “That meant that the website slowed down for a number of people,” he said. When asked if it was possible that someone could be selling those blocks of tickets, Mackie said there wasn't any evidence indicating that one person was booking many appointments. 

According to Edward Roberts, Application Security Strategist, Imperva, “Since February, Imperva Research Labs has monitored an unprecedented 48.8% increase in bad bot traffic on healthcare websites. It was an early indicator that a bot-driven disruption on a COVID-19 vaccine appointment site would happen eventually – especially as the vaccine became available to the general public. While there are many ‘helpful bots’ being deployed to assist people with identifying available appointments, it’s important to remember that when a site is polluted with bots, it slows web performance and makes it harder for legitimate users to access the information or services they need."

Roberts adds, "While large retail pharmacies and health systems might have the infrastructure to sustain higher volumes of traffic, smaller institutions and local governments may not. Maintaining uptime becomes a critical challenge as an influx of bot traffic and human traffic can cause a site to slow down considerable or crash. For organizations managing appointment booking sites, it’s important to monitor and analyze traffic sources, investigate traffic spikes, and proactively block hosting providers and proxy servers known to be used by malicious actors. Managing bot traffic must be a critical consideration for the State and local county to ensure citizens can access the tools they need to book their appointment.”

Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, says, “The latest cyberattack targeting the COVID-19 booking system in London, Ontario, causing several disruptions in the ability to distribute vaccines, is a reminder that some cybercriminals do not care who the victims are or what impact they cause.  This is also a reminder on the importance of strong access security controls to ensure only authorized people can access and to prioritize DDoS protection.  Becoming resilient to cyberattacks must remain a top priority for all services.”

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, explains that there are some good tools and services to mitigate this kind of bot attack. "It seems that the Middlesex-London Health Unit resorted to one of them quickly. The particular difficulties here are:

  1. The accuracy needed to distinct bot traffic from regular traffic as no one really wants to block a human from getting an appointment.
  2. The accuracy of the cleanup of appointments made before the solution was in place, for that same reason.
  3. The motives of the cyber crooks behind the bot attack.

Schrader adds, "If this is motivated by financial gains, that is to ‘sell’ an appointment, the fraudulent part is yet to come as cross checks about eligibility will likely cancel the actual vaccination and the person who ‘bought’ it ends up being the framed one. If the motive is of financial nature, we will - most likely – also see a range of websites offering ‘appointment services’ just to collect names, email addresses, credit cards and other PII/PHI or to distribute malware. Unfortunately, the chances are high that such a watering hole attack will be quite successful, given the anxiety related to the topic. The administration needs to continue in their efforts to report openly and swiftly about such scenarios, especially if the motive is to create distrust and unrest.”

Overall, ensuring a fair and stable vaccine registration process is driven by technology, and ultimately, the availability and integrity of these services, says Jack Mannino, CEO at nVisium, a Falls Church, Virginia-based application security provider. "Denial of Service attacks and exploited business logic flaws can make it difficult or impossible to book an appointment. As these services are being rapidly developed and deployed, these risk scenarios must be baked into threat models and proactive controls must be baked into production implementations.”