Sporting Fans Heavily Targeted by Bad Bots This Summer

  • Bad bot activity rose on sporting and betting sites during sporting events such as Tour De France, EURO 2020 and the Tokyo Olympics.

    Imperva Research Labs has revealed that punters were left at risk of account takeover (ATO) attacks, leaving their digital wallets vulnerable to exploitation. Alarmingly, during the Tokyo Olympics, the company saw a spike in search engine impersonators during the first week and by week two, it grew by 103% above average.

    “Bad bots typically masquerade as legitimate users to remain undetected,” explained Imperva researchers in a blog post. “Incoming traffic to sporting sites saw an unusual 48% increase in Yahoo impersonators, 66% increase in Baidu impersonators and 88% increase in Google impersonators.

    “Imperva Research Labs also found ATO attacks grew 43% the week prior to the start of the Olympic Games, and spiked 74% during the first week of competition.”

    In the run up to the EURO 2020 football tournament, the organization monitored a 96% year-on-year increase in bot traffic on global sporting sites. ATO attacks also spiked by two or three times the daily average on the days when England played.

    Imperva also monitored a pattern of attacks getting larger as the tournament progressed with a notable peak occurring at the start of the Round of 16 teams.

    A similar trend was spotted at the beginning of the Tour De France—bot activity on sporting and gambling sites spiked 52% as the race was scheduled to begin.

    “Bot comment spammers were pervasive, with traffic increasing 62%,” the blog post stated. “The spammers took advantage of the interest in the event to post comments in Russian about an array of topics including: adult sites, crypto, coupons/discounts, casino sites and loans and investment opportunities.”

    ATO attacks are a type of fraud where cyber-criminals use a botnet to gain illegal access to accounts that belong to other users. According to Imperva, this is usually achieved through brute force login techniques such as credential stuffing, credential cracking or a dictionary attack.

    “Gambling sites are a lucrative target for account takeover attacks because user profiles often have financial information or even funds stored,” explained the blog post. “A successful account takeover can result in financial fraud, theft of personal data or sensitive business information.”

    According to the Imperva Bad Bot Report 2021, websites face an ATO attack 16% of the time. The report also found that one third of all login attempts in 2020 were malicious. With the English Premier League and other elite football leagues in Europe set to begin playing matches and the Beijing 2022 Winter Olympics and football World Cup in Qatar on the horizon, the organization is concerned that the threat of bad bots targeting fans during these global sporting events is likely to grow.

    “The bad bot problem is increasingly complex as automated web activity accounted for more than a quarter of all web traffic in 2020,” Imperva added in its blog post. “This trend is likely to grow as fans spend more time online searching for scores, placing bets and engaging in sport community forums. To mitigate automated threats across web, mobile and APIs, companies must take proactive steps to keep their users’ data secure.”

    The organization advises that sporting and betting sites should block or CAPTCHA outdated user agents and browsers, block known hosting providers and proxy services, monitor for failed login attempts and evaluate a bot protection solution such as web application and API protection (WAAP).