Bots Are Scalping Israeli Government Services
Executive summary
Akamai researchers have been monitoring a bot situation that has been taking advantage of Israeli citizens through various governmental agencies.
More than 700,000 Israelis are seeking an appointment for a passport renewal, creating a backlog of months at the Ministry of Interior.
A group of developers created a bot to secure appointments through MyVisit, the appointment scheduling platform used by some Israeli government offices, and released it for free public use.
Soon after, a different group made their own bot to scalp and sell MyVisit appointments for various government services, including at the Ministry of Interior, the Ministry of Transport, National Insurance, Israel Post, the Electricity Company, and more. Each appointment sells for more than $100.
MyVisit tried to mitigate the bots using a CAPTCHA that was quickly passed by the threat actors’ bot.
To effectively hinder these bots, a more comprehensive solution is required, as offered by bot-management products, using a variety of measures: from device fingerprinting, browser validation, and JavaScript challenges to advanced machine learning models that analyze and classify the data on the back end.
Introduction
Scalper bots are a notorious hazard for digital commerce shoppers around the globe. Whether it’s gaming consoles, hyped sneakers, collectibles, or graphic cards, any limited-edition item is a target for scalpers who profit by reselling to less technologically equipped consumers.
In Israel, however, a threatening new scalping market has emerged — for government services. Instead of getting gouged with significantly higher than face-value concert tickets, Israelis have been effectively getting swindled for services for everyday life. This scalping market has the potential to create significantly more damage than not being able to go on holiday.
In this blog post, I will explain where this threat began, where it currently stands, and the danger it poses for Israel and beyond.
The rush for passports
One of the largest effects that COVID-19 had on our lives was the immediate shutdown of recreational travel. Fortunately, we reached the point where travel has been revived a bit, and this is where the tale begins. After being effectively stuck at home for the past 2+ years, millions of Israelis are itching to travel abroad, searching for their long-forgotten passports, and hundreds of thousands are discovering those passports to be almost expired. The postpandemic Ministry of the Interior, understaffed and unprepared, is overloaded by the surge of vacation-hungry Israelis. With a backlog of more than 700,000 applications, a labor dispute, and the Foreign Ministry running out of passports, it’s a difficult time for travel in and out of Israel.
So, how are Israelis obtaining these coveted documents? To successfully secure an appointment for passport renewal, one would repeatedly check the online appointment website MyVisit, which opens new slots at 7 AM, and hope to find an available appointment somewhere. Many people waited for months, and traveled across the country, for their necessary appointments.
However, a few developers came up with a better solution — an appointment scheduling bot, named GamkenBot. Armed with your contact information and preferred location, the appointment bot would rush the scheduling system, quickly finding and securing an available slot as soon as it opened. This was released for public use, widely well-received, and the creators soon became champions of the people in the battle against bureaucracy.
Greedy business arises
Unfortunately, most things that can be used positively can also be used nefariously. Rather quickly, people began exploiting the well-meaning bot to scalp these prized appointments and sell them to desperate citizens.
On May 10, shortly after the launch of GamkenBot, MyVisit Appointments Group was launched on a Telegram channel. Apparently, the Ministry of Interior isn't the only government office to rely on MyVisit's appointment system. And so, the Telegram group offers appointments not only for passport renewal, but also appointments for the Population Authority, Israel’s Electricity Corporation, the National Insurance, Israel Post, the Ministry of Transportation, and more. The admins claim to be a group of developers whose bot scans and instantly books open appointments, which are later available for purchase. Discounts are even provided for buyers of 2 or more appointments.
And so, essential government services have become a traded commodity. But while the extortion of citizens who are seeking essential services is bad enough, this vulnerability can have a much graver implication on national security, which I will address later in this post.
The developers of these bots claim that they’re performing a service for their customers. In reality, however, their business is no different than the reselling of scalped sneakers or concert tickets. They place themselves between the provider and the consumer, and charge a mitigation fee for a transaction that could’ve been made without their interference.
MyVisit, the appointment scheduling system, is used by the various government offices to make them more accessible. Due to insecure implementation, however, this system has amplified the very problem it was created to solve. The implication is that financial, administrative, and other services essential to people’s lives are effectively being ransomed.
A national security risk
Distressingly, the implications don’t end with directly bamboozling citizens for basic governmental programs. This could open the door for any hostile or chaotic entity to shut down not only the Ministry of Interior’s passport line, but also the registration of truck and bus drivers at the Ministry of Transportation, any visits to the National Insurance or Electricity Company, and more. What if this list expanded to include doctors’ appointments or hospital procedures?
Mitigating the threat
MyVisit tried to block the bots by embedding a CAPTCHA on the booking page, but it took bot developers mere days to pass it. Ultimately, CAPTCHA is not an anti-bot solution because it can be passed using relatively simple techniques, such as auto-generated resolvers, manual farms, or token harvesting, depending on the CAPTCHA difficulty and the threat actor’s motivation.
In the early times of bots, many could be detected by simple HTTP header anomalies. Nowadays, however, bots have evolved to expertly mimic human interactions online. To beat today’s modern bots, much more advanced measures are utilized by bot management products. Device fingerprinting and behavioral analysis are combined with machine learning models, fed with billions of requests every day to detect trends and anomalies. As bot developers learn to manipulate their browsers’ environment and mimic human behavior, threat researchers are constantly working to improve detection capabilities, looking for attribute tampering, traces of automation, and emerging evasions.
Eventually, any anti-bot protection can be passed by a threat actor with enough motivation and resources, at least at small scale. However, the bar should be placed as high as possible, and we must always raise it higher. In this, at least, it appears that some government offices are quite behind sneaker companies.
Conclusion
There are some significant advantages to bots in modern society. For example, the bot that helped sort for appointments was well-received among citizens because it was truly beneficial to them. Chatbots and helper bots — these things are intended to make our lives easier, and minus some minor inconveniences they possess, they often do.
As technology advances, increasingly complicated tasks can be automated and delegated to bots. While these bots spare us tedious efforts and support the undertaking of greater challenges, they also present malevolent possibilities. To protect and ensure the integrity of life online, we must be able to identify and classify bots, and keep them away from where they don’t belong.
