Report: 47 Percent of Internet Traffic is From Bots

Report: 47 Percent of Internet Traffic is From Bots

Imperva Inc. recently released 2023 Imperva Bad Bot Report, a global analysis of automated bot traffic across the internet. In 2022, nearly half (47.4%) of all internet traffic came from bots, a 5.1% increase over the previous year. The proportion of human traffic (52.6%) decreased to its lowest level in eight years.

For the fourth consecutive year, the volume of bad bot traffic — malicious automated software applications capable of high-speed abuse, misuse, and attacks — grew to 30.2%, a 2.5% increase over 2021. The staggering level of bad bot activity across the internet in 2022 was the highest since the creation of the Imperva Bad Bot Report in 2013. Malicious bot activity is a significant risk for businesses as it can result in account compromise, data theft, spam, higher infrastructure and support costs, customer churn, and degraded online services. Collectively, billions (USD) are lost annually as a result of automated attacks on organizations’ websites, infrastructure, APIs, and applications.

Documenting 10 Years of Bot Evolution and the Rise of Automated Attacks

For the past decade, the annual Imperva Bad Bot Report has provided security and business leaders with useful and practical information about the evolution of bot technology and automated traffic. Imperva was a pioneer in documenting these annual trends for the purpose of raising awareness about the business risk associated with bad bot activity.

Reflecting on the 10th anniversary of the Imperva Bad Bot Report, this year’s report documents milestones in the evolution of bad bot technology. Notable highlights include:

  • The EarthLink Spammer, one of the world’s first botnets, was discovered in 2000. It was created by a single individual and sent over a million emails as part of a phishing scam.
  • In 2014, Imperva monitored one of the first examples of bots exploiting mobile browser settings to more easily scrape data. This was an early indicator that bot operators were adapting for mobile web and application environments.
  • In 2015, the sophistication of bad bots soared 11%. Bot operators used a single bot to cycle through many IP addresses to make a single request while disguising their identity.
  • In 2016, as mobile device usage grew, bad bots quickly adapted. For the first time, mobile Safari was one of the leading self-reported user agents, while the volume of bots claiming to be mobile browsers increased 42.78%.
  • In 2020 and 2021, bad bots became the pandemic of the internet as automation became more sophisticated. Through inventory hoarding and scraping, bots made it harder for humans to purchase gaming consoles or schedule COVID-19 vaccine appointments.

“Bots have evolved rapidly since 2013, but with the advent of generative artificial intelligence, the technology will evolve at an even greater, more concerning pace over the next 10 years,” says Karl Triebes, Senior Vice President and GM, Application Security, Imperva. “Cybercriminals will increase their focus on attacking API endpoints and application business logic with sophisticated automation. As a result, the business disruption and financial impact associated with bad bots will become even more significant in the coming years.”

Key Findings from the 2023 Imperva Bad Bot Report:

  • Bad bots are increasingly sophisticated and harder to detect. In 2022, the proportion of bad bots classified as “advanced” accounted for more than half (51.2%) of all bad bot traffic. In comparison, the level of bad bot sophistication in 2021 was 25.9%. This is a concerning trend for businesses as advanced bad bots use the latest evasion techniques and closely mimic human behavior to evade detection by cycling through random IPs, entering through anonymous proxies, and changing identities.
  • Account takeover (ATO) attacks increased 155% in 2022. Further, 15% of all login attempts in the past 12 months, across all industries, were classified as account takeover. Cybercriminals use bad bots to facilitate credential stuffing and brute force attacks, as automation can cycle through credentials quickly until successful. These attacks have the potential to lock customers out of their account, provide fraudsters with sensitive information, contribute to business’ revenue loss, and increase the risk of non-compliance.
  • Bad bots target APIs to abuse business logic and compromise accounts. In 2022, 17% of all attacks on APIs came from bad bots abusing business logic. A business logic attack exploits flaws in the design and implementation of an API or application for the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts. Further, 35% of account takeover attacks in 2022 specifically targeted an API. When APIs are called programmatically, attackers can easily automate the process of attempting to takeover an account without triggering any alarms.
  • Travel (24.7%), Retail (21%), and Financial Services (12.7%) continue to experience the highest volume of bot attacks. Meanwhile, Healthcare and Law & Government experienced a considerable jump in the volume of bad bot attacks in 2022. Gaming (58.7%) and Telecommunications (47.7%) had the highest proportion of bad bot traffic on their websites and applications. Taken together, bots are a growing problem for all industries.
  • Majority of countries have a bad bot problem. Of the 13 countries analyzed in the report, more than half (7) had bad bot traffic levels that exceeded the global average of 30.2%. Germany (68.6%), Ireland (45.1%), and Singapore (43.1%) ranked in the top three, while the US also exceeded the average at 32.1%.
  • Browser settings disguise bad bot behavior: One-in-five bad bots used Mobile Safari as their browser of choice in 2022, up from 16.1% in 2021. Updated browsers offer privacy settings that obfuscate bad bot behavior, making it harder for organizations to detect and stop automated traffic.

“Every organization, regardless of size or industry, should be concerned about the rising volume of bad bots across the internet,” continued Triebes. “Year-over-year, the proportion of bot traffic is growing and the disruptions caused by malicious automation results in tangible business risks — from brand reputation issues to reduced online sales and security risks for web applications, mobile apps, and APIs. Businesses need to act now and invest in bot management and online prevention that can identify and stop sophisticated automation that targets APIs and application business logic.”

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3