Nearly half of internet traffic came from bots in 2022, for a 5% spike over the previous year, Imperva, a data and application cybersecurity protector, said in its newly released 2023 Imperva Bad Bot Report.
The global analysis of automated bot traffic across the internet showed that the proportion of human traffic sunk to 53%, the lowest level in eight years, Imperva said.
Billions of dollars are lost annually as a result of automated attacks on organizations’ websites, infrastructure, APIs, and applications through account compromise, data theft, spam, higher infrastructure and support costs, customer churn, and degraded online services.
Bad Bots Becoming Harder to Detect
Here are some key findings from the report:
- Bad bots are increasingly sophisticated and harder to detect. In 2022, the proportion of bad bots classified as “advanced” accounted for more than half (51%) of all bad bot traffic. The level of bad bot sophistication in 2021 was 26%.
- Account takeover attacks increased 155% in 2022. Some 15% of all login attempts in the past 12 months, across all industries, were classified as account takeover.
- Cyber criminals use bad bots to facilitate credential stuffing and brute force attacks, as automation can cycle through credentials quickly until successful.
- In 2022, 17% of all attacks on APIs came from bad bots abusing business logic. A business logic attack exploits flaws in the design and implementation of an API or application for the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts.
- Sectors hit by the highest volume of bots attacks include travel (25%), retail (21%), and financial services (13%) experienced the highest volume of bot attacks. Meanwhile, healthcare and law & government experienced a considerable jump in the volume of bad bot attacks in 2022. Gaming (59%) and telecommunications (48%) had the highest proportion of bad bot traffic on their websites and applications.
- Of the 13 countries analyzed in the report, seven had bad bot traffic levels that exceeded the global average of 30%. Germany (69%), Ireland (45%), and Singapore (43%) ranked in the top three, while the U.S. also exceeded the average at 32%.
- One-in-five bad bots used Mobile Safari as their browser of choice in 2022, up from 16% in 2021. Updated browsers offer privacy settings that obfuscate bad bot behavior, making it harder for organizations to detect and stop automated traffic.
Karl Triebes, Imperva senior vice president and general manager of application security, cautioned organizations to be aware of the “rising volume” of internet bad bots:
“Year-over-year, the proportion of bot traffic is growing and the disruptions caused by malicious automation results in tangible business risks — from brand reputation issues to reduced online sales and security risks for web applications, mobile apps and APIs. Businesses need to act now and invest in bot management and online prevention that can identify and stop sophisticated automation that targets APIs and application business logic.”
Rise of the Bad Bots
The report also documents milestones in the evolution of bad bot technology. Highlights include:
- The EarthLink Spammer, one of the world’s first botnets, was discovered in 2000. It was created by a single individual and sent over a million emails as part of a phishing scam.
- In 2014, Imperva monitored one of the first examples of bots exploiting mobile browser settings to more easily scrape data. This was an early indicator that bot operators were adapting for mobile web and application environments.
- In 2015, the sophistication of bad bots soared 11%. Bot operators used a single bot to cycle through many IP addresses to make a single request while disguising their identity.
- In 2016, as mobile device usage grew, bad bots quickly adapted. For the first time, mobile Safari was one of the leading self-reported user agents, while the volume of bots claiming to be mobile browsers increased 42.78%.
- In 2020 and 2021, bad bots became the pandemic of the internet as automation became more sophisticated. Through inventory hoarding and scraping, bots made it harder for humans to purchase gaming consoles or schedule COVID-19 vaccine appointments.
Triebes explained the evolution of bots across the internet:
“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years. Cyber criminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”