In 2023, almost half of internet activity, some 49.6%, originated from non-human sources, marking a 2% rise from the previous year, cybersecurity premier Thales’ 2024 Imperva Bad Bot Report revealed.
This percentage represents the highest level of bot-generated traffic observed by Thales company Imperva since they commenced tracking such activity in 2013.
Nanhi Singh, general manager at the Application Security at Imperva said “bots are one of the most pervasive and growing threats facing every industry.”
“From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support. Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration,” she said.
In 2023, bad bot activity increased for the fifth year in a row, reaching 32% of web traffic, compared to 30.2% in 2022. Meanwhile, human-generated web traffic dropped to 50.4%, the report noted. The proliferation of automated traffic is resulting in significant financial losses for organizations globally, as it targets websites, APIs, and applications, costing billions of dollars annually.
“Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications,” Singh said. “As more AI-enabled tools are introduced, bots will become omnipresent. Organizations must invest in bot management and API security tools to manage the threat from malicious, automated traffic.”
Last year, Ireland, Germany, and Mexico emerged as the frontrunners in battling these malicious bots, with rates reaching 71%, 67.5%, and 42.8%, respectively. Notably, the United States also experienced a slight increase in bad bot traffic, rising to 35.4% from 32.1% in 2022.
One significant factor contributing to this surge is the growing utilization of generative AI and large language models (LLMs), which saw the volume of simple bots escalate to 39.6% in 2023, up from 33.4% the previous year. This technology enables the creation of web scraping bots and automated crawlers, facilitating the training of models and empowering non-technical users to develop automated scripts for various purposes.
Account takeover (ATO) attacks have become a persistent threat to businesses, rising by 10% in 2023 compared to the previous year. API endpoints were a primary target, with 44% of all ATO attacks directed towards them, a notable increase from 35% in 2022. Across the internet, 11% of all login attempts were associated with account takeover, posing significant risks to users and organizations alike. Financial Services bore the brunt of these attacks, with a staggering 36.8% of ATO incidents targeting the sector.
APIs have emerged as a popular vector for cyberattacks, with automated threats causing 30% of all API attacks in 2023. Among these, 17% were perpetrated by bad bots exploiting business logic vulnerabilities within the API's design and implementation. This flaw enables attackers to manipulate legitimate functionality and gain unauthorized access to sensitive data or user accounts, underscoring the critical need for robust API security measures.
The pervasiveness of bad bot traffic extends across every industry, with gaming sector experiencing the largest proportion for a second consecutive year at 57.2%. Retail, travel, and financial services sectors faced the highest volumes of bot attacks. Moreover, the proportion of advanced bad bots, capable of closely mimicking human behavior and evading defenses, was particularly pronounced in the Law & Government, Entertainment, and Financial Services domains.
Another concerning trend is the increasing prevalence of bad bot traffic originating from residential ISPs, which grew to 25.8%. Masquerading as mobile user agents accounted for 44.8% of all bad bot traffic, a significant rise from 28.1% five years ago. Sophisticated actors leverage mobile user agents in combination with residential or mobile ISPs to evade detection, posing significant challenges for cybersecurity professionals.
