The uncontrolled rise of bad bots – Technologist
The 2024 Imperva Bad Bot Report revealed that 49.6% of the global internet traffic came from bots in 2023—a 2% increase over the previous year and the highest level Imperva has reported since it began monitoring automated traffic in 2013. Similarly, the proportion of web traffic associated with bad bots grew to 32% in 2023, up from 30.2% in 2022.
Asia Pacific (APAC) bucked the trend, however, dropping to under 27% (26.6%) in 2023, from 27.9% in 2022 and 34.8% in 2021 – marking a 23.5% decrease over a three-year period.
While this gradual decline indicates potential progress in bot detection and mitigation strategies in the region, it’s noteworthy that bots (good and bad) now comprise over 40% of APAC’s internet traffic, an increase of 15.6% YoY, underscoring the ongoing challenge of managing bot activity.
Reinhart Hansen, director of Technology at Imperva’s Office of the CTO, stressed the critical importance of taking proactive steps against bad bots as they grow in sophistication.
“With attackers increasingly exploiting API vulnerabilities and lapses in business logic guardrails, this proactive stance is essential to prevent data breaches, account takeovers, and large-scale data theft,” he added.
He went on to add that from simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organisation’s bottom line by degrading online services and requiring more investment in infrastructure and customer support.
“Organisations must proactively confront the menace of bad bots as attackers sharpen their focus on API-related abuses that can lead to compromised accounts and data exfiltration,” he added.
Trending in 2024
- The global average of bad bot traffic reached 32%. In APAC, Singapore notably experienced a high level of bad bot traffic, accounting for 35.2%, surpassing the global average. In contrast, Japan recorded the lowest level of bad bot traffic at 17.7%.
- Growing use of generative AI connected to the rise in simple bots: Rapid adoption of generative AI and large language models (LLMs) resulted in the volume of simple bots increasing globally to 39.6% in 2023, up from 33.4% in 2022. Australia, in particular, has a high volume of simple bots (70.6%) – 31% higher than the global average. Singapore, in contrast, is comparatively lower, with 13.1% of simple bot volume. The industries in APAC with the highest proportion of simple bot traffic are Automotive (100%), Telecom and ISPs (77.53%), and Healthcare (68.21%). The technology uses web scraping bots and automated crawlers to feed training models while enabling nontechnical users to write automated scripts for their own use.
- Every industry has a bot problem: For a second consecutive year globally, Gaming (57.2%) saw the largest proportion of bad bot traffic. Meanwhile, Retail (24.4%), Travel (20.7%), and Financial Services (15.7%) experienced the highest volume of bot attacks. The proportion of advanced bad bots, those that closely mimic human behaviour and evade defenses, was highest in Law & Government (75.8%), Entertainment (70.8%), and Financial Services (67.1%) websites. The industries in APAC with the highest proportion of advanced bot traffic are Gaming (86.04%), Financial Services (73.61%), and Gambling (72.64%).
- Account takeover (ATO) is a persistent business risk: ATO attacks increased by 10% in 2023, compared to the same period in the prior year. Notably, 44% of all ATO attacks targeted API endpoints, compared to 35% in 2022. Of all login attempts across the internet, 11% were associated with account takeover. The industries that saw the highest volume of ATO attacks in 2023 were Financial Services (36.8%), Travel (11.5%), and Business Services (8%).
- APIs are a popular vector for attack: Automated threats caused a significant 30% of API attacks in 2023. Among them, 17% were bad bots exploiting business logic vulnerabilities—a flaw within the API’s design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts. Cybercriminals use automated bots to find and exploit APIs, which act as a direct pathway to sensitive data, making them a prime target for business logic abuse.
- Bad bot traffic originating from residential ISPs grows to 25.8%: Early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users. Bad bots masquerading as mobile user agents accounted for 44.8% of all bad bot traffic in the past year, up from 28.1% just five years ago. Sophisticated actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address.
Imperva senior vice president for Asia Pacific and Japan, George Lee says organisations face substantial financial losses every year due to automated traffic, a concern that cuts across all industries. He added that automated bots are on track to outnumber human-generated internet traffic, and with the proliferation of AI-powered tools, their presence is becoming increasingly pervasive.
“It’s imperative for enterprises to prioritise investment in bot management and API security solutions to effectively combat the threat posed by malicious automated traffic,” he advised.