The 2022 Imperva Bad Bot Report has some eye-opening findings, with the lead item being that bad bot traffic is coming close to overtaking human activity on the internet.
Bot traffic made up 42.3% of all internet activity in 2021, up from 40.8% in 2020. Bad bot traffic is nearly double that of the so-called “good bots” that perform legitimate functions such as indexing and automated responses.
After a lull of several years, bad bot traffic on the rise again
Bot traffic last outpaced human traffic on the internet in 2014, the year this annual Imperva study began. A surge of majority human traffic that followed, up to 62% at times, was due largely to significant suppression of bad bots (those that operate with malicious intent). These troublesome bots have been on the rise again since 2019, however, now once again vastly outpacing their “good” counterparts and threatening to dominate the internet once again.
As the report notes, there is a direct correlation between bad bot activity and rates of cyber crime. Bad bots are usually the first element of an attack plan, whether that is surveillance of a target network or attempts to compromise accounts. Other functions that qualify for bad bot status include scalping retail items, scraping content from websites, distributed denial of service (DDoS) attacks, and “inventory denial” schemes in which hot items are tied up in virtual shopping carts to manipulate prices or deny sales to competitors.
Bad bots have become quite advanced in the past decade, blending in with good bot traffic to evade detection and in some cases employing very sophisticated techniques to mimic human activity. The more advanced of the bad bots can use modified web browsers, imitate human-like mouse movement and clicks, regularly change IP addresses, and time requests to appear more like a legitimate end user. These particular bots, called the “evasive” class, are now the majority of bad bot traffic at 65.6%.
Bad bot traffic also tends to vary throughout the year, hitting a peak in December as threat actors attempt to exploit holiday shopping. This continued to be the case with bad bot traffic accounting for 30% of all internet activity in December 2021, up from 24% at the beginning of the year.
Certain industries are also highly targeted, and saw substantial increases in bad bot traffic in 2021. Sports, gambling and food & beverage sites all saw jumps of over 20% compared to 2020’s bot traffic. The most sophisticated of the bad bots have increasingly turned their attention on travel, retail, automotive, education and government websites.
There is also a strong regional disparity in bot traffic. The United States is the overwhelming favorite for bad bots, drawing 43.1% of their attacks. The next most frequent target is Australia at 6.8%.
Bot traffic increasingly going to account takeover attempts
Much of the uptick in bad bot traffic comes from account takeover activities. These range from the classic “brute force” attacks that sequentially try passwords listed in a dictionary file, to the “credential stuffing” variant that only uses compromised logins taken from data breaches. These types of attacks increased by 148% in 2021, and over 65% of them now make use of an “evasive” form of advanced bad bot to get around automated defenses.
Certain countries that are not among the most heavily targeted for overall bot traffic are among those most frequently subject to account takeover attempts: Singapore, France, Puerto Rico and Chile all top the list just behind the US. Financial services and travel sites are also more heavily targeted with these attack types than any other industry, more than double the next category on the list (business services); the most advanced of the bad bots show a strong preference for travel and retail sites. The problem is still tilted heavily toward the US, however, with 22% of the country’s residents (over 24 million households) now estimated to have experienced an account takeover at some point.
The report finds that malicious bot traffic overall is growing in frequency, complexity and intensity. Imperva says that the largest bot attack it has ever recorded took place in January 2022, making use of over 400,000 IP addresses to flood a job listing website with 400 million login attempts over a sustained period. Bad bots are also finding new avenues of attack, such as enrolling in colleges in an attempt to scam them out of grant and financial aid money.
There are no indications that this problematic bot traffic is about to slow down, remaining a security headache for organizations in the near term. John Gunn, CEO of Token, suggests that pressing passwordless alternatives is key: “Account takeover using stolen credentials remains the #1 threat to every organization and bots automate and speed up this process. Strong, effective, and convenient biometric authentication is essential to ensure security.”
Garret Grajek, CEO of YouAttest, suggests that organizations can take a more immediate step in addressing identity governance policies: “It should alarm anyone who is involved in IT that 28% of the global resources for handling web traffic is going to handling bot traffic. Traffic that is malicious by nature – since denial of service is one of the tenants of the CIA principle: Confidentiality, Integrity and Availability. Enterprises have to realize this traffic is occurring and that its content is malicious by nature. And since many of the bots are carrying traffic that will eventually result in scans and vulnerability assessments – an enterprise must shore up their defenses. Given that over 65% of attacks will eventually use weakened credentials, an identity governance policy is paramount.”