- According to the new Imperva Bad Bot Report 41 percent of internet traffic in 2020 was not generated by humans.
- Bad bot traffic increased 6.2 percent and now accounts for more than a quarter of all website inquiries.
- Bots disguised as mobile browsers rose to 28 percent in 2020, in 2019 the share was still 13 percent.
Advanced persistent bots made up the majority of bad bot traffic at 57 percent last year. These types of bots are particularly persistent, difficult to track down, and mimic human behavior – and are mostly responsible for Attacks on the website, mobile apps and APIs. This presents major challenges in particular for companies that want to reduce their downtime, reduce bandwidth consumption or improve the user experience. The bots do a lot of damage, especially through price and content scraping, account creation and takeover, fraud, denial-of-service and denial-of-inventory.
Telecommunications and Internet service providers (ISPs) recorded the largest share of total bot traffic in 2020 at 45.7 percent. Most of the bots were able to do this Account transfers or price inquiries to be led back. However, the largest share of sophisticated bot traffic (59.7 percent) was in the travel industry. Government websites were also increasingly attacked with the aim of account takeovers, data scraping of commercial register entries and voter registrations.
Bot traffic – an overview of the most important targets
Bots target appointment booking sites for Covid-19 vaccine: Imperva observed a 372 percent increase in bad bot traffic on healthcare websites from September 2020 to February 2021. As vaccines became available to more and more age groups in the United States, bot activity increased at a rate of 25,000 requests per hour. For healthcare systems, pharmacies and retailers, bots could disrupt the supply chain by placing increased demands on the network and making it difficult for authorized users to access the scheduling tool.
Scalper bots exploit the shortage of goods during the pandemic: Throughout 2020, scalper bots were used to buy limited-edition goods from the market. Large stocks of face masks, disinfectants, cleaning agents and exercise bikes were bought up by bots.
Mobile browsers like Safari and Chrome have been the main targets for bots to attack: The proportion of malicious bots in mobile browsers rose to 28.1 percent last year, compared to 12.9 percent in the previous year. The steady rise in attacks in 2020 confirms the trend among mobile ISPs, which has continued for the fourth year in a row. The methods developed by bots to imitate human behavior are getting better every year.
Bots are involved in fraudulent account takeovers: Companies with a login area on their website are exposed to constant attacks from credential stuffing and credential cracking. In 2020, 34 percent of all login attempts came from bad bots. This is of particular concern for industries such as Computing & IT, Tourism, Retail, Financial Services, Entertainment, Telecommunications & ISPs, and Healthcare.
Grinch Bots Make Millions With Game Consoles: Retail bot traffic increased 788 percent between September and October 2020. Scalper bots plagued the gaming market around the Christmas shopping season. The timing is no accident and it was perfectly in line with the pre-order dates for new game consoles. Many gamers became frustrated as it became virtually impossible to buy game consoles, GPU or CPU devices online while bots bought up the inventory and resold the goods for millions of dollars in profits.
Good bots can also harm: The share of good bot traffic reached around 15 percent in 2020, compared to 13 percent in 2019. When a website is flooded with bot traffic, it slows down web performance and makes it difficult for normal users to access the information or services they need. Good bots can also skew web analytics reports and make some pages appear more popular than they actually are, resulting in worse results for advertisers.
Most of the bad bot attacks come from the USA: The USA is the leading country in terms of hosted bad bots and the main target of all bad bot attacks. For the seventh year in a row, the United States was the most frequently attacked country with 37 percent, followed by China (8.3 percent) and the UK (7 percent).
Attack strategies from bots are becoming more and more advanced
“As we have observed over the past eight years, bad bots continue to be at work on the Internet as attack characteristics become more and more sophisticated and nuanced. Last year during the pandemic, bad bots were able to evolve by targeting new markets. The effects are now often felt by ordinary consumers as well, ”explains Edward Roberts, Director of Strategy, Application Security at Imperva.
“The attacks on the gaming industry by the Grinch bots at the end of 2020 are an example of what happens when bots can act uncontrollably and buy up inventory. Malicious bots must be a top focus for businesses and security professionals in 2021 as the problem continues to grow. Businesses need to take proactive steps to protect their websites, applications and APIs from these threats as bots become increasingly involved in fraudulent activities that can damage reputations and financially, ”said Roberts.
Imperva is a provider of cybersecurity solutions and protects customers’ data from cyber attacks in all stages of their digital transformation. With an integrated approach that combines edge, application and data security, Imperva protects companies in all phases of digitization.
Also read: This is how retailers defend their e-commerce business against shopping bots