Automating COVID vaccine sign-ups with browser emulation.

Across the US, vaccine distribution is being facilitated through online forms like the one shown below. 

The key strength of these sign-up forms, their simplicity, could be turned into a significant weakness. Automated web traffic can work through the process faster than any real human feasibly could, making your state’s vaccine sign-up no different than a pre-COVID rush to buy tickets off of Ticketmaster.

The team here at IPM performed a short analysis to assess the risk that state’s could be enabling scammers and scalpers from grabbing well-needed vaccine slots. A few states are already issuing warrants about scams related to COVID vaccines and we expect that scalping vaccine slots could be a natural progression for malicious actors.

Specifically we wanted to check if the various sites across US States were blocking traffic from one popular browser automation suite, Selenium. This tool would be utilized to continually drive traffic to sign-up sites, immediately completing the confirmation flow the moment they became available.

Sadly, out of the 40+ states hosting their own online sign-up systems, only one blocked this type of traffic: Minnesota.

Commercial providers, who we expected to have more experience dealing with malicious traffic, fared a similar fate. We tested 6 national providers (Costco, CVS, Hyvee, Meijer, Walgreens Walmart) and only one, Meijer successfully blocked Selenium traffic.

All in, it appears that across the country vaccine sign-up sites leave themselves vulnerable to automated traffic and while there’s a cost/benefit tradeoff to anti-bot measures