- Automated and malicious traffic is increasing for the fifth year in a row
- Bad bots are responsible for 32% of all internet traffic
- 44% of all account takeover attacks target API endpoints
Thales, the cybersecurity leader protecting critical applications, APIs and data anywhere at scale, today announced the release of the Imperva Bad Bot Report 2024a global analysis of automated bot traffic over the internet. Nearly half (49.6%) of all internet traffic came from bots by 2023 – a 2% increase from the previous year, and the highest level Imperva has reported since it started monitoring automated traffic in 2013 .
For the fifth consecutive year, the share of web traffic related to bad bots grew to 32% in 2023, up from 30.2% in 2022, while traffic from human users fell to 50.4%. Automated traffic costs organizations billions (USD) annually due to attacks on websites, APIs and applications.
“Bots are one of the most pervasive and growing threats facing any industry,” say Nanhi Singh, General Manager, Application Security at Imperva, a Thales company. “From simple web scraping to malicious account takeover, spam and denial of service, bots negatively impact the bottom line by degrading online services and requiring increased investment in infrastructure and customer support. Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related exploits that could lead to account compromise or data exfiltration.”
Key trends identified in the Imperva Bad Bot Report 2024 include:
- The global average of bad bot traffic reached 32%: Ireland (71%), Germany (67.5%) and Mexico (42.8%) had the highest levels of bad bot traffic in 2023. The US also saw a slightly higher rate of bad bot traffic: 35.4% compared to 2022 (32.1%). %).
- Increasing use of generative AI linked to the rise of simple bots: The rapid adoption of generative AI and large language models (LLMs) has led to the number of simple bots increasing to 39.6% in 2023, up from 33.4% in 2022. The technology uses web scraping bots and automated crawlers to training models, while allowing non-technical users to write automated scripts for their own use.
- Account takeover is an ongoing business risk: Account Takeover (ATO) attacks will increase by 10% in 2023, compared to the same period the previous year. Notably, 44% of all ATO attacks targeted API endpoints, compared to 35% in 2022. Of all internet login attempts, 11% involved account takeovers. The sectors that saw the highest number of ATO attacks in 2023 were financial services (36.8%), travel (11.5%) and business services (8%).
- APIs are a popular attack vector: Automated threats caused a significant 30% of API attacks in 2023. Among them, 17% were bad bots that exploited vulnerabilities in business logic – a flaw in the design and implementation of the API that allows attackers to manipulate legitimate functionality and can gain access to sensitive data or user accounts. . Cybercriminals use automated bots to find and exploit APIs, which act as a direct route to sensitive data, making them a prime target for business logic exploitation.
- Every industry has a bot problem: For the second year in a row, Gaming (57.2%) saw the majority of bad bot traffic. Meanwhile, retail (24.4%), travel (20.7%) and financial services (15.7%) experienced the highest number of bot attacks. The share of advanced bad bots, bots that closely mimic human behavior and evade defense mechanisms, was highest on Law and Government (75.8%), Entertainment (70.8%) and Financial Services (67.1%) websites.
- Bad bot traffic coming from residential ISPs grows to 25.8%: Early techniques for evading bad bots relied on impersonating a user agent (browser) often used by legitimate human users. Bad bots masquerading as mobile user agents accounted for 44.8% of all bad bot traffic last year, up from 28.1% five years ago. Advanced actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate ISP-assigned residential IP address.
“Automated bots will soon surpass the share of Internet traffic coming from humans, changing the way organizations approach building and protecting their websites and applications,” continued Singh. “As more AI-enabled tools are introduced, bots will become ubiquitous. Organizations must invest in bot management and API security tools to manage the threat of malicious, automated traffic.”
Additional information:
- Download a copy of the Imperva Bad Bot Report 2024 for additional insights.
- Learn how Imperva Advanced Bot Protection, API Security and Client-Side Protection can protect websites, mobile applications and APIs from automated attacks and fraud without impacting the flow of business-critical traffic.
- Read the Imperva Blog for the latest product and solution news and threat information from Imperva Threat Research.
About Thales
Thales (Euronext Paris: HO) is a global leader in advanced technologies across three domains: Defense & Security, Aviation & Space, and Digital Identity & Security. It develops products and solutions that make the world safer, greener and more inclusive.
The Group invests almost €4 billion per year in Research & Development, mainly in key areas such as quantum technologies, Edge computing, 6G and cybersecurity.
Thales has 81,000* employees in 68 countries. In 2023, the Group generated a turnover of €18.4 billion.
* These figures do not include the ground transport activities, which are being divested
