U.S. retailers and pharmacies like Walgreens and CVS Health are preparing for a fresh round of “bot” attacks by scalpers hoping to snap up COVID-19 vaccine appointments as they did hoarding Sony PlayStation 5s and Nike sneakers.
For over a decade, the retail industry has battled so-called “scalper bots,” programmed to cut digital lines and snap up limited-supply products within milliseconds of their release, that are resold at significant mark-ups.
The coronavirus pandemic exacerbated the problem because the boom in online shopping expanded scalpers’ sights to new categories from fitness equipment to essential goods like toilet paper and detergents. In Britain, scalpers using bots have also snatched online grocery delivery slots reserved for at-risk senior citizens.
The Joe Biden administration said this week that it will soon start distributing about 1 million doses per week directly to about 6,500 pharmacies in the first phase of a federal program that aims to expand access to vaccines.
Security companies that track this activity now warn that U.S. retailers and pharmacies enlisted to play a big role in COVID-19 vaccine dissemination could be the next target of bot attacks as they begin distributing as early as Feb. 11.
These fears stem from problems retailers have faced this past holiday shopping season, when the latest PlayStation and Microsoft Xbox consoles were nearly impossible to find because scalpers attacked major retailers.
“Queue-jumpers are branching out. Their tools are now being used to target other high-demand items,” said Matt Gracey-McMinn, head of threat research at bot security firm Netacea.
Walmart told Reuters in December most of the “significantly higher” traffic for the consoles came from bots, and that the company had to conduct after-sale audits, canceling orders placed by bots and making those products available to regular consumers.
Another attack like the one retailers faced over the holiday shopping season could further snarl a fragile process where just 32 million doses have been administered since federal regulators in December granted emergency approval to two vaccines, according to the Centers of Disease Control and Prevention (CDC).
Not Enough Slots
In recent weeks, people shared on social media networks horror stories of attempting to secure vaccination appointments from government sources, with some blaming bots for site crashes and stolen slots.
The private sector is girding for tech problems. “The Walgreens team is working to ensure only authorized and eligible patients will have access to schedule a vaccine appointment,” said Jim Cameli, Walgreens Boots Alliance’s Chief Information Security Officer.
“To do so, security measures such as bot detection and prevention will play key roles in delivering this critical service to patients.”
CVS said its program could thwart bot attacks. “Our vaccination appointment site has a layered defense that includes capabilities to detect automated cyber attacks, such as botnets. Those capabilities, together with our application design and user input validation, enable us to validate legitimate users,” a CVS Health spokesman said.
When asked if it was worried about bots attacking Covid-19 vaccine appointments, Walmart said it would “focus on security and any necessary mitigation steps that help us provide fair and equitable vaccination sign-ups.”
Walmart said in a blog post on Tuesday that, starting late next week, once the retailer receives doses from the federal government at select pharmacies in 22 states, vaccine-eligible customers can use a scheduling tool to lock in appointments online “while allocation lasts.”
Such websites, however, make retailers easier targets for bots than the states currently handling vaccine appointments, two cybersecurity experts said.
Securing appointments by going through local governments requires a more complicated process of navigating different websites. This makes it harder for both people and bots to complete the process.
The complexity of securing vaccine appointments from the government, even without explicit evidence of bots tampering the process, inspired a few programmers to create website monitoring programs like Georgia Vax, Visualping and NYC Vaccine List, which alert people to available appointments at a local level for free.
The National Association of Chain Drug Stores (NACDS) said on a media call Friday the Centers for Disease Control and Prevention (CDC) plans to launch “Vaccine Finder,” a tool the health organization has “developed over time” to help those eligible locate the vaccine.
The CDC was not immediately available for comment.
“It would be hard for anyone to really make a lot of money attacking states because every county is different,” said Ben Warlick, an Atlanta-based lawyer who has been writing appointment monitoring bots for free to help people get the vaccine. “Creating a large nationwide system would just be too difficult to set up.”
But for retailers, the threat is real.
“Several of our customers have come to us worried about the frightening dilemma they will ultimately face: how do we manage vaccine appointments without it being upended by automated, bot attacks?” said Edward Roberts, a specialist at security firm Imperva.
He added, “The dam will explode once vaccines are available for all citizens.”