Nearly half of all internet traffic originated from automated scripts, with almost a third from bad bots, a new report by IT and application security firm Imperva found.
Bad bots are automated software applications capable of abusing, misusing, and attacking web applications, mobile apps, and APIs.
The report found a steady increase in bot traffic over the past few years, pushing human traffic to an eight-year-low.
The 2023 Imperva Bad Bot Report highlighted an evolution in bot technology and steps business leaders should take to remain a step ahead of automated threats.
Bots are responsible for nearly half of the internet traffic
Imperva’s Bad Bot Report found that 47.4% of all internet traffic came from bots, a 5.1 increase from 2021. During the same period, human traffic fell to 52.6%, reaching an eight-year low.
Additionally, traffic from bad bots increased for the fourth consecutive year, reaching 30.2% and recording a 2.5% increase over 2021.
However, good bot traffic remained significantly low at just 17.3% but slightly increased from 14.6% in 2021.
Bad bots are abusing Safari privacy features
Imperva found a significant increase in bad bots self-reporting as mobile browsers.
According to the report, a fifth (20.2%) of bad bot traffic self-reported as Mobile Safari, marking a 16.1% increase from the previous period.
Despite the overall reduction in volume from 42.7% in 2021 to 40.4% in 2022, most bad bot traffic originated from Chrome browsers, with Mobile Chrome recording a slight increase from 11.9% in 2021 to 13.2% in 2022.
The report indicated that Safari was the most preferred mobile browser by bad bots. The researchers pointed out that bad bots exploited Safari’s enhanced privacy features to mask their nefarious behavior.
However, they noted that evasive bots (advanced and moderate) usually disguise themselves as mobile browsers to evade detection. Thus, the number of malicious scripts running on the Safari browser might differ.
Advanced bad bot levels are doubling
The researchers noted an expanding gap between moderate and advanced bots in the last 12 months.
They noted that bad bots were increasingly adopting evasive behaviors such as cycling through IPs, using anonymous proxies, mimicking human behavior, defeating CAPTCHAs, and delaying requests.
According to the researchers, as evasion tactics evolved, the proportion of bad bots classified as “advanced” (51.2%) increased at the expense of moderate ones (15.3%), while simple bots remained consistent at 33.4%.
Collectively, evasive bots accounted for roughly two-thirds (66.6%) of bot traffic, marking a slight increase from 65.5% in the previous year.
“While the increase isn’t substantial, it is the makeup of evasive bad bots that is alarming, with advanced bad bot levels essentially doubling,” Imperva’s report stated.
Account takeover and API attacks are frequently leveraging bad bots
Bad bots that abuse business logic accounted for 17% of all API attacks in 2022, while 21% of malicious activity originated from other automated threats. Of all attacks recorded, 27% originated from bad bots, while 26% were from other automated sources.
The researchers explained that the goal of abusing API business logic was to steal sensitive information or illegally gain access to user accounts.
According to the report, account takeover (ATO) attacks in 2022 more than doubled (+155%), accounting for 15% of all login attempts in the past 12 months.
Additionally, over a third (35%) of account takeover attacks in 2022 specifically targeted an API.
The reason for targeting APIs in account takeover attacks is because the authentication token is sent in the request body, thus easier to intercept and abuse without raising suspicion.
Bot threat landscape
Travel (24.7%), Retail (21%), and Financial services (12.7%) experienced the highest volume of bot traffic levels, while Gaming (58.7%) and Telecommunications (47.7%) experienced the highest bad bot traffic levels.
Healthcare and Government experienced the highest level of bad bots attacks, while Financial Services, Telecoms and ISPs, and Computing & IT experienced the highest volume of account takeover attacks.
Seven countries out of 13 analyzed had higher bot traffic levels than the global average of 30.2%, with Germany (68.6%), Ireland (45.1%), and Singapore (43.1%) leading the pack and the United States (32.1%) following closely. However, countries with the highest volume of bot attacks were the United States (41.1%), Australia (16.4%), and the United Kingdom (6.8%).
The researchers recommended identifying potential risks, vulnerability reduction, blocking outdated browsers, traffic monitoring and evaluation, disallowing traffic from data centers, security automation, raising awareness, and tweaking configurations to block bots.
