According to the 2023 Imperva Bad Bot Report 47.4% of all internet traffic worldwide came from bots, up 5.1% from last year. In contrast human traffic (52.6%) has decreased to its lowest level in eight years.
The report noted that for the fourth consecutive year, the volume of bad bot traffic – malicious automated software applications capable of high-speed abuse, misuse, and attacks – grew to 30.2% globally (27.9% in APAC), a 2.5% increase over 2021.
The staggering level of bad bot activity across the internet in 2022 was the highest since the creation of the Imperva Bad Bot Report in 2013. Malicious bot activity is a significant risk for businesses as it can result in account compromise, data theft, spam, higher infrastructure and support costs, customer churn, and degraded online services. Collectively, billions (USD) are lost annually because of automated attacks on organisations’ websites, infrastructure, APIs, and applications.
They are everywhere
Majority of countries have a bad bot problem. Of the 13 countries analysed in the report, more than half (7) had bad bot traffic levels that exceeded the global average of 30.2%. Germany (68.6%), Ireland (45.1%), and Singapore (43.1%) ranked in the top three, while the US also exceeded the average at 32.1%.
Bad bots are a cross-industry, cross-functional problem. Their ability to perform various malicious actions at a capacity and velocity that is downright impossible for a normal human being makes them an ideal tool for high-speed abuse, misuse, and attacks.
Travel (24.7%), retail (21%), and financial services (12.7%) continue to experience the highest volume of bot attacks. Meanwhile, healthcare and law & government experienced a considerable jump in the volume of bad bot attacks in 2022. Gaming (58.7%) and telecommunications (47.7%) had the highest proportion of bad bot traffic on their websites and applications. Taken together, bots are a growing problem for all industries.
In APAC, the top 3 industries with the largest share of bad bot traffic in 2022 were Gaming (71.8%), telecom & ISPs (59.4%), and food & beverage (51.5%).
“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” says Reinhart Hansen, director of technology, Office of the CTO at Imperva.
"Cybercriminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years."
Reinhart Hansen
Key findings of the report
Bad bots are increasingly sophisticated and harder to detect. In 2022, the proportion of bad bots classified as “advanced” accounted for more than half (51.2%) of all bad bot traffic globally. In comparison, the level of bad bot sophistication in 2021 was 25.9%. This is a concerning trend for businesses as advanced bad bots use the latest evasion techniques and closely mimic human behaviour to evade detection by cycling through random IPs, entering through anonymous proxies, and changing identities.
In APAC, the highest proportion of advanced bots was found in the Society (97.9%), travel (79.8%) and financial services (70.4%) sectors, respectively.
Account takeover (ATO) attacks increased by 155% in 2022. Further, 15% of all login attempts in the past 12 months, across all industries, were classified as account takeover. Cybercriminals use bad bots to facilitate credential stuffing and brute force attacks, as automation can cycle through credentials quickly until successful. These attacks have the potential to lock customers out of their accounts, provide fraudsters with sensitive information, contribute to business revenue loss, and increase the risk of non-compliance.
Bad bots target APIs to abuse business logic and compromise accounts. In 2022, 17% of all attacks on APIs came from bad bots abusing business logic. A business logic attack exploits flaws in the design and implementation of an API or application with the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts. Further, 35% of account takeover attacks in 2022 specifically targeted an API. When APIs are called programmatically, attackers can easily automate the process of attempting to take over an account without triggering any alarms.
Browser settings disguise bad bot behaviour: One-in-five bad bots used Mobile Safari as their browser of choice in 2022, up from 16.1% in 2021. Updated browsers offer privacy settings that obfuscate bad bot behaviour, making it harder for organisations to detect and stop automated traffic.
“Every organisation, regardless of size or industry, should be concerned about the rising volume of bad bots across the internet,” continued Hansen. He added that year-over-year, the proportion of bot traffic is growing and the disruptions caused by malicious automation result in tangible business risks -- from brand reputation issues to reduced online sales and security risks for web applications, mobile apps, and APIs.
"Businesses need to act now and invest in bot management and online prevention that can identify and stop sophisticated automation that targets APIs and application business logic,” he concluded.