Not all bots are bad; some index web content, others provide chat functions for business customers, and you may come across bots that run checks to find you the best product deals. However, so-called 'bad' bots can also be programmed to perform brute-force attacks, disrupt web services, and more.
Scalpers fall into the second category. While not usually dangerous, scalpers will crawl online services to book and purchase products far more quickly than a human can. Scalpers may target high-demand concert tickets, gaming consoles, and other products, allowing their operators to resell them for a profit.
Now, scalpers are also abusing government services.
On June 23, Akamai researchers said that bots are being used to snap up coveted appointment slots offered by Israeli government services. Unfortunately, these slots are gold dust, with an estimated 700,000 citizens trying to secure an appointment for passport renewal alone, not to mention the demand for appointments relating to transport, utilities, the post office, and national insurance.
According to the researchers, numerous bots have been trained upon MyVisit, a platform used to select and book appointment slots.
The first bot in circulation was released to the public for free by a group of well-meaning developers. Dubbed GamkenBot, the bot was usable by anyone willing to provide their preferred appointment location and contact information.
However, profiteering scalper variants soon emerged, with the development of bots to grab appointments for passports, alongside a variety of other government services.
Instead of waking up at 7am every morning and hoping to secure a slot, and sometimes waiting months before being successful, citizens are taking second place behind scalp bots that automatically scan and grab appointments released through MyVisit. The operators then sell them on for over $100 each – when they should be free.
The operators might say they are performing a service but, as the researchers note, the scalpers have turned a government service that citizens already pay for through taxation into "traded commodities," with essential services being held to "ransom."
MyVisit is not blind to scalping activities and has tried to stop the bots by implementing CAPTCHAs. However, it took mere days for this system to be circumvented.
The problem is that today's bots avoid being blocked by mimicking human behavior and interactions. Therefore, a CAPTCHA barrier is not enough; for now, the bots continue their profiteering.
"To beat today's modern bots, much more advanced measures are utilized by bot management products," Akamai commented. "Device fingerprinting and behavioral analysis are combined with machine learning models, fed with billions of requests every day to detect trends and anomalies. Any anti-bot protection can be passed by a threat actor with enough motivation and resources, at least at small scale. However, the bar should be placed as high as possible, and we must always raise it higher."