Bot traffic currently accounts for nearly half of global Internet traffic, with so-called “bad bots” accounting for one-third.
According to the 2024 Imperva Bad Bot Report, the proportion of Internet traffic generated by bots reached an all-time high last year, up 2% from the year before. Traffic from human users dropped to just 50.4%.
“Automated bots will soon exceed the proportion of internet traffic coming from humans, changing the way organizations build and secure their websites and applications,” said Nanhi Singh, general manager of application security at Imperva.
“As more AI-enabled tools become available, bots will become ubiquitous. Organizations must invest in bot management and API security tools to manage threats from malicious automated traffic.”
Bad bots already dominate Ireland, where they account for 71% of traffic, while in Germany they account for 68% of traffic. Meanwhile, 43% of traffic in Mexico is generated by malicious bots, compared with 34% in the United States.
As you might expect, generative AI will make things worse, with the number of simple bots increasing from 33% in 2022 to 40% in 2023.
Meanwhile, account takeover attacks increased by 10% in 2023, with 44% targeting API endpoints compared to 35% in 2022. In fact, 11% of all login attempts on the Internet are related to account takeovers. The most affected industries are financial services (37%), tourism (12%) and business services (8%).
APIs are a popular attack vector, and by 2023, three out of 10 API attacks will be behind automated threats. 17% of these were malicious bots that exploited a business logic vulnerability, a flaw in API design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts.
Gaming was the biggest bot issue for the second year in a row, accounting for 57% of traffic. Meanwhile, retail, travel and financial services saw the highest volume of bot attacks.
The highest proportion of advanced malicious bots (those that closely mimic human behavior and evade defenses) is found in the legal and government sector at 78%, followed by entertainment (71%) and financial services (67%).
A quarter of bad bot traffic originates from residential ISPs, and residential proxies allow bot operators to evade detection by making the source of the traffic appear to be a legitimate residential IP address assigned by the ISP. Late last year, a Lunio report found that advertisers would waste more than $71 billion on traffic generated by ineffective campaigns, including bots and automated scripts, a one-third increase from 2022.
“Bots are one of the most prevalent and growing threats facing every industry. From simple web scraping to malicious account takeovers, spam and denial of service, bots can degrade online services and require disruption to infrastructure and customers. More investment support, thus negatively impacting the bottom line of the organization,” said Singh.
“Organizations must proactively address the threat of bad bots as attackers focus on API-related abuse that could lead to account compromise or data exfiltration.”