NEW YORK / CHICAGO / LOS ANGELES (Reuters) – U.S. retailers and pharmacies like Walgreens and CVS Health are gearing up for a new round of bot attacks by scalpers who hope to snap up nominations for the COVID-19 vaccine, as they did with Sony PlayStation 5s and Nike Sneakers.
For more than a decade, the retail industry has struggled with so-called “climbing robots”, programmed to cut digital lines and snap up limited-supply products in milliseconds after their launch, which are resold with significant markings.
The coronavirus pandemic has exacerbated the problem because the boom in online shopping has expanded the view of money changers into new categories, from fitness equipment to essential goods like toilet paper and detergents. In Britain, money changers who use bots have also stolen online grocery delivery slots reserved for at-risk seniors.
The Joe Biden government said this week that it will soon begin distributing about 1 million doses a week directly to about 6,500 pharmacies in the first phase of a federal program aimed at expanding access to vaccines.
Security companies tracking this activity now warn that US retailers and pharmacies enlisted to play a large role in the spread of the COVID-19 vaccine may be the next target of bot attacks once they start distributing them now. February 11.
These fears stem from problems that retailers faced in the holiday shopping season, when the latest PlayStation and Microsoft Xbox consoles were almost impossible to find because the money changers attacked major retailers.
“The queue jumpers are branching out. Their tools are now being used to target other high-demand items, ”said Matt Gracey-McMinn, head of threat research at bot security firm Netacea.
Walmart told Reuters in December that most “significantly higher” traffic to consoles came from bots, and that the company had to conduct post-sale audits, canceling orders placed by bots and making these products available to regular consumers.
Another attack like the one retailers faced during the holiday shopping season could further complicate a fragile process, where only 32 million doses have been administered since federal regulators in December granted emergency approval for two vaccines, from according to the Centers for Disease Control and Prevention (CDC).
ENOUGH SLOTS
In recent weeks, people have shared on social media horror stories of attempts to secure vaccination appointments from government sources, with some bots blaming the site for slack locking and theft.
The private sector is preparing for technology problems. “The Walgreens team is working to ensure that only authorized and eligible patients have access to schedule a vaccine appointment,” said Jim Cameli, director of information security for the Walgreens Boots Alliance.
“To that end, security measures, such as bot detection and prevention, will play important roles in delivering this critical service to patients.”
CVS said its program could prevent bot attacks. “Our vaccination tagging site has a layered defense that includes features to detect automated cyber attacks, such as botnets. These features, along with our application design and user input validation, allow us to validate legitimate users, ”said a CVS Health spokesman.
When asked if it was concerned about bots attacking Covid-19 vaccine nominations, Walmart said it “would focus on safety and any necessary mitigation steps that would help us provide fair and equitable vaccination registrations.”
Walmart said in a blog on Tuesday that, as of the end of next week, as soon as the retailer receives doses from the federal government at selected pharmacies in 22 states, customers eligible for the vaccine can use a scheduling tool to book online consultations “while the distribution lasts. “
These sites, however, make retailers easier targets for bots than states that deal with vaccine appointments, said two cybersecurity experts.
Securing commitments through local governments requires a more complicated process of navigating different sites. This makes it more difficult for people and bots to complete the process.
The complexity of securing government vaccine nomination, even without explicit evidence of bots tampering with the process, inspired some programmers to create site monitoring programs like Georgia Vax, Visualping and NYC Vaccine List, which alert people to nominations available at local level for free.
The National Association of Chain Drug Stores (NACDS) said in a media call on Friday that the Centers for Disease Control and Prevention (CDC) plans to launch the “Vaccine Finder”, a tool that the health organization “developed over over time “to help those eligible to locate the vaccine.
The CDC was not immediately available for comment.
“It would be difficult for someone to really make a lot of money by attacking states because each county is different,” said Ben Warlick, an Atlanta lawyer who has written appointment monitoring bots for free to help people get the vaccine. “Creating a large national system would be very difficult to configure.”
But for retailers, the threat is real.
“Several of our clients came to us concerned about the daunting dilemma they will face: how do we manage vaccine appointments without being interrupted by automated bot attacks?” said Edward Roberts, an expert at the security company Imperva.
He added: “The dam will explode as soon as vaccines are available to all citizens”
Reporting by Melissa Fares, Richa Naidu and Lisa Baertlein; Editing by Kenneth Li, Vanessa O’Connell, Aurora Ellis and Nick Zieminski