A summer of cybercrime reveals evolving bot threats

Fans around the world clamored online, and even in-person, over the past several weeks to enjoy the thrill of competition. From the Tour De France and EURO 2020 tournament in June to the recent Summer Olympic Games in Tokyo, fans were eager to cheer on their nations and make a little money in the process, too.

As fans placed their wagers on individual matches through online betting sites, Imperva Research Labs noticed a suspicious rise in bot activity on both sporting and betting sites, coinciding with these global sporting events. In addition to bot-driven comment spamming and content scraping, Imperva also monitored a rise in account takeover (ATO) attacks — designed to break into accounts and gain access to gamblers’ digital wallets — in the weeks leading up to and during these events.

Tour De France

In June, bot activity on sporting and gambling sites spiked 52% as the race was scheduled to begin. Bot comment spammers were pervasive, with traffic increasing 62%. The spammers took advantage of the interest in the event to post comments in Russian about an array of topics including: adult sites, crypto, coupons/discounts, casino sites and loans and investment opportunities.

EURO 2020

In the weeks leading up to the start of the EURO 2020 tournament in June, Imperva Research Labs monitored a 96% year-on-year increase in bot traffic on global sporting sites. In particular, UK gambling sites were heavily targeted by bot operators in the week before England and Scotland kicked off their respective campaigns. Compared to other days during the tournament, days when the English national team played were particularly high risk, as Account Takeover attacks spiked by 2 or 3 times the daily average. The UK wasn’t the only target: bot traffic on gambling sites in Germany spiked 41% in the week following the country’s defeat of Portugal and leading up to their match with Hungary on June 23. Imperva Research Labs also monitored a pattern of attacks getting larger as the tournament progressed with a notable peak occurring at the start of the Round of 16.

Tokyo 2020 Summer Olympics

During the first week of the Olympic Games, Imperva Research Labs monitored a significant spike in search engine impersonators. Incoming traffic to sporting sites saw an unusual 48% increase in Yahoo impersonators, 66% increase in Baidu impersonators and 88% increase in Google impersonators. As the Olympics rounded into week two of competition, the volume of browser impersonators grew by 103% above average. Bad bots typically masquerade as legitimate users by reporting their user agent as a web browser or mobile device to avoid being detected. The increase may be related to bots either crawling or scraping sites for real-time information.

More alarming was the large increase in web traffic throughout Japan before and during the first week of the Olympic Games, coming from IPs known to perform account takeover attacks. ATO attacks grew 43% the week prior to the start of the Olympic Games, and spiked 74% during the first week of competition.

The Risk for Fans: Fraud

The rise in Account Takeover activity monitored during the EURO 2020 tournament and Summer Olympics is of particular importance and should be a warning signal for any fan that participates in online betting or gambling.

Account takeover is a form of fraud where a cybercriminal uses a botnet to gain illegal access to accounts belonging to someone else. This is usually achieved using brute force login techniques such as credential stuffing, credential cracking or a dictionary attack. Gambling sites are a lucrative target for account takeover attacks because user profiles often have financial information or even funds stored.

A successful account takeover can result in financial fraud, theft of personal data or sensitive business information. On average, websites face an account takeover attack 16% of the time, according to the Imperva Bad Bot Report 2021. Further, Imperva Research Labs finds that a third of all login attempts in 2020 were malicious.

A Growing Bot Problem

The spikes in bot activity seen during some of the world’s largest sporting events in 2021 is evidence of an evolving security threat that continues to pervade daily life. Last year, 33.7% of web traffic to sporting sites was made up of bad bots and 27.7% of all web traffic on gaming and gambling sites was associated with advanced persistent bots (APBs) — traffic that closely mimics human behavior and is harder to detect and stop.

However, this isn’t just a problem for sports and gambling sites. Bots are disrupting industries around the globe, and the bot activity Imperva Research Labs monitored around these sporting events mirrors the disruptions bots are causing in e-commerce and healthcare -- revealed earlier this year in the Imperva Bad Bot Report 2021.

With the UK Premier League and other elite football leagues in Europe set to begin playing matches, and the Beijing 2022 Winter Olympics and World Cup in Qatar on the horizon, the threat of bad bots targeting fans during these global sporting events is likely to grow.

Putting a Stop to Bots

The bad bot problem is increasingly complex as automated web activity accounted for more than a quarter of all web traffic in 2020. This trend is likely to grow as fans spend more time online searching for scores, placing bets and engaging in sport community forums. To mitigate automated threats across web, mobile and APIs, companies must take proactive steps to keep their users’ data secure:

Block or CAPTCHA outdated user agents/browsers: The default configurations for many tools and scripts contain user-agent string lists that are largely outdated. This won’t stop more advanced attackers, but it might catch and discourage some. The risk in blocking outdated user agents/browsers is very low; most modern browsers force auto-updates on users, making it more difficult to surf the internet using an outdated version.
Block known hosting providers and proxy services: Even if the most advanced attackers move to other, more difficult-to-block networks, many less sophisticated perpetrators use easily accessible hosting and proxy services like Digital Ocean, Gigenet, OVH Hosting and Choopa. Disallowing access from these sources can discourage attackers.
Monitor for failed login attempts: Define a failed login attempt baseline, then monitor for anomalies or spikes -- indicators of an attack takeover attempt. Set up alerts so the security team can be automatically notified if any anomalies occur. Advanced “low and slow” attacks don’t trigger user or session-level alerts, so be sure to set global thresholds.
Evaluate a bot protection solution: Bots are increasingly sophisticated and can even mimic human behavior, making it harder to detect and stop the autonomous activity. Only a bot management solution that is integrated within web application and API protection (WAAP) can deliver holistic protection for an organization's website and digital assets. This approach offers protection from the OWASP automated threats that happen around-the-clock without disrupting or impacting legitimate users.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.