Internet bots make up nearly half of global web traffic, according to new research, with a significant amount of this fake activity being malicious.
The 11th annual Bad Bot Report from Imperva shows malicious bot traffic continued to rise through 2024, marking a fifth consecutive year of increased malicious activity.
Imperva defines bad bots as software applications that perform automated tasks, mimicking legitimate users, with malicious intent.
These bots can be used for a variety of nefarious purposes, such as distributed denial of service (DDoS) attacks, scalping, credential stuffing, scraping, and more.
Imperva’s report is focused on bad bot activity at the OSI model’s application layer (layer 7), as opposed to lower-level network protocols used for volumetric DDoS attacks.
The investigation analyzed data collected from its global network in 2023, which included nearly 6 trillion blocked bad bot requests, anonymized across thousands of domains and industries.
The analysis found 49.6% of all internet traffic came from bots in 2023, growing by 2% from the previous year, and the highest level Imperva has recorded since it began monitoring automated traffic in 2013.
Traffic generated by malicious bot activity also rose to 32% of global traffic in 2023, up from 30.2% in 2022; whereas, human-based traffic decreased to 50.4% over the same period.
Breaking down internet traffic by industry, the study found that bad bots plague every sector, but the worst affected industries were Gaming (57.2%), Telecom & ISPs (49.3%), Computing & IT (45.9%), Business Services (40.9%), and Healthcare (33.4%).
GM of Application Security at Imperva, Nanhi Singh said bots were one of the most pervasive threats facing every industry, and this threat is only growing as automation technology becomes more sophisticated.
“From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support,” said Singh. “Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration.”
Sophisticated, evasive bots plague critical industries
Imperva classified the bots by their level of sophistication, with categories covering simple, moderate, and advanced evasion techniques.
Simple bots are those which don’t self-report as a browser, using automated scripts to connect to sites from a single IP address, making them fairly easy to identify as robots.
Moderate comprises bots that use more sophisticated ‘headless browser’ software that simulates browser activity, including the ability to execute JavaScript code.
Advanced bots emulate human user behavior such as mouse movements and clicks in order to fool spoof bot detection systems. These assets use browser automation software or malware within real browsers to connect to sites.
Imperva provided details of how evasive bots avoid detection using a wide range of stealth techniques.
“Evasive bots use complex tactics like cycling through random IPs, entering via anonymous proxies, using residential proxies, changing their identities, mimicking human behavior, delaying requests, and defeating CAPTCHA challenges”, the report explained.
“They use a ‘low and slow’ approach to avoid detection and carry out significant attacks using fewer requests. This method reduces the ‘noise’ generated by many bad bot campaigns, making it difficult to detect them.”
Imperva’s study found that a number of critical industries received the highest proportion of advanced bot traffic in 2024.
The Law & Government (75.8%) and Financial Services (67.1%) sectors were among the sectors hit with the highest proportion of advanced bots.
The study noted the volume of these advanced attacks is less important, as their sophistication means fewer attempts are required to compromise the target system.
ATO attacks on the rise as APIs become top target for cybercriminals
Imperva’s findings also showed a rise in account takeover (ATO) attacks as one of the most prevalent automated threats facing organizations last year, recording a 10% increase in ATO attacks in 2023.
The volume of the ATO attacks launched every year is growing, according to Imperva’s data, with 11% of all login attempts across the internet associated with account takeover attempts.
Once again, the critical industries received the highest volume of these attacks, with the Financial Services sector being hit with 36.8% of global ATO attempts.
Notably, 44% of all ATO attacks targeted API endpoints, up from 35% in 2022, with automated threats responsible for 30% of all API attacks in 2023.
The widespread adoption of APIs precipitated by the proliferation of mobile and web applications makes them a tempting target for cyber criminals, according to the report, especially as they are often used to take care of vital identity verification processes.
As such, exploiting vulnerabilities in authentication APIs can give threat actors unauthorized access to user accounts, highlighting the importance of API security for organizations moving forward.
