Bad bots continue to affect consumers and organizations across all sectors. For over eleven years, Imperva has been dedicated to helping organizations manage and mitigate the threat of bad bots. We’ve published the 2024 Imperva Bad Bot Report as part of our commitment to helping organizations better understand the challenges associated with automated traffic and the risks of not mitigating it.
The eleventh edition of the annual report shares insight on the latest bad bots statistics and trends from the past year, providing valuable information and guidance about the nature and impact of automated traffic. Here are five key takeaways from the report:
Automated traffic makes up almost half of all internet traffic worldwide. Generally speaking, automated traffic comprises two types of automation: good and bad bots. Concerningly, bad bots alone account for nearly a third of all traffic, at 32%, with their volume increasing for the fifth consecutive year. Our research indicates that more than half of the countries we studied experienced higher-than-average levels of bad bot traffic.
The rise in popularity of Artificial Intelligence (AI) and Large Learning Models (LLMs) contributed to the increase in automated traffic in 2023. The technology uses web scraping and crawling to feed training models while commoditizing bots by enabling non-technical users to write scripts.
The report takes a deeper dive into the anatomy of bad bots by classifying them according to the level of sophistication and the tactics used when attempting (or not) to evade detection. We saw simple bad bot traffic grow from 33.4% of all bad bot traffic in 2022 to 39.6% in 2023. This increase can be attributed to artificial intelligence’s popularity and widespread adoption. Less technical individuals can now write basic bot scripts. These scripts often lack the latest evasion techniques advanced bots use, so they’re classified as simple.
Account takeover (ATO) is an attempt at unauthorized access and takeover of user accounts using bots. This is most commonly achieved by performing credential stuffing, which involves testing dumps of leaked user credentials against login pages. Such attacks increased by 10% in 2023, with 44% of all ATO attacks targeting API endpoints. Financial Services, Travel, and Business Services were the industries that saw the highest volume of ATO attacks in 2023.
Automated threats were responsible for 30% of API attacks in 2023. Cybercriminals increasingly rely on automated bots to discover and exploit APIs, which provide a direct pathway to sensitive data. Organizations depend heavily on APIs to support application modernization. However, APIs increase the attack surface, providing more entry points for automated attacks. Because of their machine-readable nature, APIs are becoming more vulnerable to bad bot attacks, and a lack of visibility into API traffic makes it difficult to detect them. These factors and others have made APIs a high-priority target for bad actors, particularly bot attacks.
A quarter of bad bot traffic now originates from residential ISPs. Early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users. Nowadays, this has become a more common technique. Sophisticated actors combine this with the use of residential or mobile ISPs. Bot operators can use residential proxies to appear as if traffic is coming from a legitimate ISP-assigned residential IP address, making it more difficult for bot management tools to detect them. At Imperva, we constantly develop targeted detection mechanisms to detect and counter this evasion technique.
The 2024 Imperva Bad Bot Report underscores the importance and urgency of addressing the threat of bots. As we move into a future where automated traffic will surpass the volume of internet traffic from humans, organizations must invest in effective bot management and API security tools to protect their websites, APIs, and mobile applications from malicious, automated traffic.
Download a copy of the 2024 Imperva Bad Bot Report to learn more about the latest bot trends and how to protect your organization. Keep reading the Imperva Blog for the latest product and solution news and threat intelligence from Imperva Threat Research.
Imperva Advanced Bot Protection safeguards websites, mobile apps, and APIs from sophisticated bot attacks without affecting legitimate users while maintaining the flow of business-critical traffic. It prevents bot operators, attackers, unsavory competitors, and fraudsters from abusing, misusing, and attacking your applications and APIs. Advanced Bot Protection embraces a holistic approach, combining a vigilant service, superior technology, and industry expertise to give customers complete visibility and control over their human, good, and bad bot traffic. With granular controls that empower rapid responses to the dynamic bad bot landscape, your organization can adapt as quickly as the threat of bots.
Imperva uses a multilayered detection approach combining state-of-the-art technology and human expertise. This includes hundreds of reputational models, behavioral analysis, advanced proprietary challenges, and machine learning models that are dynamically trained throughout every step. The Imperva Application Security Platform generates shared global intelligence across all Imperva-protected sites, allowing for real-time response to the latest threats.
As a recognized industry leader, we understand the bot problem and its potential impact on businesses better than anyone else. We know that any attack at any time can seriously threaten your business. Unlike other bot management vendors, we provide you with the dedicated support of a team of expert bot analysts who have more experience fighting bad bots than most of our competitors have been in existence.
The post Five Key Takeaways from the 2024 Imperva Bad Bot Report appeared first on Blog.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Erez Hasson. Read the original post at: https://www.imperva.com/blog/five-key-takeaways-from-the-2024-imperva-bad-bot-report/