Bots accounted for over half (49.6%) of total internet traffic in 2023, over 2% from the previous year and the highest amount since cybersecurity firm Imperva began measuring in 2013.
This is according to the 2024 Imperva Bad Bot Report from Thales, a cybersecurity company that secures vital applications, APIs, and data throughout the world.
Bad bots are clever enough to replicate human behaviors, making them notoriously hard to identify and prevent. They attack application business logic by focusing on intended functions and procedures rather than technical weaknesses. The bots also allow for high-speed abuse, misuse, and attacks across websites, mobile applications, and APIs, allowing bot operators, attackers, unscrupulous rivals, and fraudsters to engage in criminal behavior.
In 2023, bad bots accounted for 32% of online traffic, up from 30.2% the year before, while human-generated traffic fell to 50.4%. This automated traffic costs businesses billions of dollars each year since it targets websites, APIs, and applications.
Nanhi Singh, GM of application security at Imperva, a Thales business, underlined that bots are among the most prevalent and rapidly evolving risks across all industries. Bots substantially influence an organization’s bottom line by deteriorating online services and increasing infrastructure and customer support expenses. This ranges from basic site scraping to malicious account takeovers, spam, and denial of service.
“Organisations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration,” said Singh.
The Imperva Bad Bot Report for 2024 highlights the following key trends:
- The global average for problematic bot traffic reached 32%, with Ireland (71%), Germany (67.5%), and Mexico (42.8%) reporting the greatest percentages. The United States likewise rose to 35.4% from 32.1% in 2022.
- The increasing use of generative AI and big language models has resulted in a growth in basic bots, which increased to 39.6% in 2023 from 33.4% in 2022. These technologies typically rely on online scraping bots and automated crawlers to collect data for training models, allowing non-technical users to construct automated scripts.
- Account takeover (ATO) assaults increased by 10% in 2023, with 44% targeting API endpoints—up from 35% in 2022. Overall, account takeovers accounted for 11% of all login attempts, with Financial Services (36.8%), Travel (11.5%), and Business Services (8%) being the most impacted industries.
- In 2023, automated threats accounted for 30% of API assaults, with 17% including malicious bots exploiting business logic flaws in APIs. Attackers can leverage these vulnerabilities to compromise lawful functionality and get access to sensitive data or user accounts.
- For the second year, the gaming industry had the highest share of problematic bot traffic (57.2%). Retail (24.4%), Travel (20.7%), and Financial Services (15.7%) were also hit hard by bot assaults. Advanced bad bots, which closely resemble human conduct and escape defenses, were most common on Law & Government (75.8%), Entertainment (70.8%), and Financial Services (67.1%) websites.
- Bad bot traffic originating from residential ISPs increased by 25.8%. These bots frequently pose as mobile user agents, accounting for 44.8% of all problematic bot traffic last year, up from 28.1% five years ago. These clever bots use household or mobile ISPs to avoid detection by pretending to come from authentic, ISP-assigned residential IP addresses.
Bots are becoming increasingly prevalent in online areas. For example, during the incident in which a Chinese surveillance balloon flew above the United States and Canada, tens of thousands of bots interacted on the social media platform X, seeking to influence public opinion.
Kathleen Carley and Lynnette Hui Xian Ng of Carnegie Mellon University analyzed approximately 1.2 million tweets from over 120,000 people about the balloon. Using Twitter’s location function and the BotHunter algorithm, they discovered considerable bot activity, with around 35% of US-geotagged users showing bot-like tendencies. China had an even larger amount of bots, at 64%.
Singh stated that “automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way organizations approach building and protecting their websites and applications.”
“Bots will become increasingly prevalent as more AI-enabled solutions are launched. Organizations must invest in bot control and API security technologies to address the threat posed by harmful, automated traffic.”
Source- Marketingtech