The 2022 Imperva Bad Bot Report has some eye-opening findings, the main one being that bad bot traffic is close to surpassing human activity on the web.
Bot traffic accounted for 42.3% of all internet activity in 2021, up from 40.8% in 2020. Bad bot traffic is roughly twice as much traffic as so-called “good bots” that perform legitimate functions such as indexing and automated responses.
After a hiatus of several years, bad bot traffic is on the rise again
Bot traffic last surpassed human traffic on the web in 2014, when this annual Imperva study began. Most of the subsequent increase in human traffic, sometimes up to 62%, is mainly due to the significant suppression of bad bots (those operating with malicious intent). These problematic bots have been on the rise again since 2019, but are now once again outstripping their “good” counterparts and threatening to dominate the internet once again.
As noted in the report, there is a direct correlation between malicious bot activity and cybercrime rates. Malicious bots are usually the first element of an attack plan, whether it’s control of a target’s network or attempts to take over accounts. Other functions that qualify as bad bots include skinning of retail products, removing content from websites, distributed denial of service (DDoS) attacks, and “inventory denial” schemes, where hot items are attached to virtual shopping carts to manipulate prices or decline sales. to competitors.
Bad bots have evolved considerably over the past decade, blending in with good bot traffic to avoid detection and in some cases using very sophisticated techniques to mimic human activity. More sophisticated malicious bots can use modified web browsers, mimic human-like mouse movements and clicks, regularly change IP addresses, and spend more time impersonating legitimate end users. These particular bots, called the “runaway” class, now account for the majority of bad bot traffic at 65.6%.
Bad bot traffic also varies throughout the year, peaking in December as threat actors look to take advantage of holiday shopping. This continued with bad bot traffic accounting for 30% of all internet activity in December 2021, up from 24% at the start of the year.
Some industries are also highly targeted and 2021 has seen significant increases in bad bot traffic. Sports, gambling, and food and beverage sites all saw over 20% growth in bot traffic compared to 2020. The most sophisticated of the bad bots have increasingly focused on travel, retail, automotive, education and government sites.
There is also strong regional disparity in bot traffic. The US is the most favored by bad bots, receiving 43.1% of their attacks. The next most common destination is Australia at 6.8%.
Bot traffic is increasingly taking into account hijacking attempts
Much of the increase in bad bot traffic comes from account hijacking activities. These range from classic “brute force” attacks, which sequentially try passwords listed in a dictionary file, to a “credential stuffing” variant, which uses only stolen logins obtained through a data breach. These types of attacks increased by 148% in 2021, and more than 65% of them now use an advanced form of malicious bot “escaping” to bypass automated defenses.
Some of the least-targeted countries for overall bot traffic are among the most affected by account takeover attempts: Singapore, France, Puerto Rico, and Chile top the list, followed by the United States. Financial services and travel sites are also targeted by these types of attacks more than any other industry, twice as much as the next category on the list (business services); The most advanced of bad bots have a strong preference for travel and retail sites. The problem is still focused on the US, however, with an estimated 22% of the country’s residents (more than 24 million households) experiencing account takeover at some point.
The report finds that malicious bot traffic is generally increasing in frequency, complexity and intensity. Imperva says the largest bot attack it has ever recorded took place in January 2022 and used more than 400,000 IP addresses to flood its job listing website with 400 million login attempts over a long period of time. Bad bots are also finding new ways to attack colleges to trick them out of grant and financial aid money.
This problematic bot traffic shows no signs of slowing down, and remains a security headache for organizations for the foreseeable future. John Gunn, CEO of Token, suggests that pushing password-less alternatives is key: “Account takeover using stolen credentials remains the #1 threat for any organization, and bots are automating and accelerating this process. “Strong, effective and convenient biometric authentication is essential to ensure security.”
Garrett Grajek, CEO of YouAttest, suggests that organizations can take more immediate action to address their identity management policies: “Anyone working in IT should be concerned that 28% of global web traffic management resources are used to manage bot traffic is going to do. Traffic that is malicious in nature – because denial of service is one of the key aspects of the CIA principle: Privacy, Integrity and Availability. Businesses need to understand that this traffic is occurring and that its content is malicious in nature. Since many bots carry traffic that will eventually result in scans and vulnerability assessments, the enterprise must strengthen its defenses. Given that more than 65% of attacks will ultimately use weakened credentials, an identity management policy is critical.”