Bots appear to be flooding the Internet. According to Thales subsidiary Imperva’s brand new Bad Bot Report, nearly half of all internet traffic comes from bots, 32 percent of which are malicious. Total bot traffic is up two percent from last year and the highest percentage ever measured since Imperva began monitoring it in 2013.
The proportion of malicious bot traffic increased in 2023 for the fifth consecutive year. In 2022, it stood at 30.2 percent. That means a sizable portion of internet traffic comes from digital criminals, hackers, or state actors whose bots scour the internet in search of victims. Automated traffic generates billions of dollars in damages annually from attacks on websites, APIs, and applications, Imperva said.
It’s good to point out that bots are not necessarily always malicious. Consider the well-known Google ‘robots’ that crawl websites to index them or bots that measure site performance.
Malicious bots however, are widely used to hijack accounts, the report states. As many as 44 percent of such account takeover (ATO) attacks targeted API endpoints (a specific functionality or resource available through the API). These were primarily accounts for financial services, travel and business services.
Of all internet login attempts, 11 percent were related to account takeovers. Government websites (75.8 percent of traffic), entertainment (70.8) and financial services (67.1) were the most frequent targets of the most sophisticated category of bots, i.e. those that mimic human behaviour and bypass defence mechanisms.
APIs are a popular target
APIs are also popular targets, accounting for 30 percent of all automated attacks. According to the report, they are attractive targets for cybercriminals because they serve as a direct route to sensitive data and are susceptible to abuse of business logic.
Not all bots are necessarily sophisticated. According to Imperva, generative AI is increasing the number of simple bots. Web scraping bots and automated crawlers pluck data from the Internet to train AI models. In addition, non-technical users can use generative AI and LLMs to generate malicious automated scripts.
By 2023, malicious bots posing as mobile user agents represented 44.8 percent of all malicious bot traffic. Five years ago, that figure was 28.1 percent. Cybercriminals use mobile user agents in conjunction with consumer and mobile providers to evade detection, making their traffic appear to come from legitimate IP addresses assigned to consumers.
More bots than people on the Internet
Nanhi Singh, director of Application Security at Imperva, puts it bluntly: “The percentage of automated bot traffic will soon exceed that of human Internet traffic. This requires a change in the way organizations approach the development and security of their websites and applications.”
According to Singh, bot traffic negatively impacts organizations’ bottom lines and reduces the quality of their online services. He advocates that organizations proactively address the threat of malicious bots, such as by investing in API security tools.
Malicious bot traffic is most prevalent in Ireland, Germany and Mexico, accounting for 71, 67.5 and 42.8 percent of Internet traffic, respectively. In the United States, the percentage is also up, from 31.1 percent in 2022 to 35.4 percent in 2023. It should be noted that the report distinguishes between traffic from bots and targeted attacks by bots. In terms of attacks, the U.S. takes the top spot with a whopping 47 percent of the total number of attacks on websites. The Netherlands ranks no. 2 in this regard, with 9 percent of attacks.
The 2024 Bad Bot Report can be downloaded here.
Also read: Thales buys security company Imperva for 3.3 billion euros