Almost half (49.6%) of all internet traffic in 2023 was driven by bots – a 2% increase from the previous year, marking the highest level since cybersecurity firm Imperva began monitoring in 2013.
This is according to a study titled 2024 Imperva Bad Bot Report from Thales, a cybersecurity specialist that protects critical applications, APIs and data globally.
Bad bots are sophisticated enough to mimic human interactions, making them notoriously difficult to detect and block. They exploit the business logic of applications by targeting the intended functionalities and processes rather than technical vulnerabilities. The bots also enable high-speed abuse, misuse and attacks across websites, mobile apps, and APIs, permitting bot operators, attackers, unsavoury competitors, and fraudsters to engage in malicious activities.
In 2023, bad bots constituted 32% of web traffic, an increase from 30.2% the previous year, while human-generated traffic decreased to 50.4%. This automated traffic costs organisations billions annually as it targets websites, APIs and applications.
Nanhi Singh, GM of application security at Imperva, a Thales company, emphasised that bots are among the most pervasive and escalating threats across all industries. From simple web scraping to malicious account takeovers, spam, and denial of service, bots significantly impact an organisation’s bottom line by degrading online services and inflating infrastructure and customer support costs.
“Organisations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration,” added Singh.
Key trends from the 2024 Imperva Bad Bot Report include:
- The global average of bad bot traffic reached 32%, with Ireland (71%), Germany (67.5%), and Mexico (42.8%) experiencing the highest levels. The US also saw an increase to 35.4% from 32.1% in 2022.
- The rapid adoption of generative AI and large language models has led to a rise in simple bots, which grew to 39.6% in 2023 from 33.4% in 2022. These technologies primarily use web scraping bots and automated crawlers to gather data for training models and enable non-technical users to create automated scripts.
- Account takeover (ATO) attacks rose by 10% in 2023, with 44% targeting API endpoints—an increase from 35% in 2022. Overall, 11% of all login attempts were linked to account takeovers, with the Financial Services (36.8%), Travel (11.5%), and Business Services (8%) sectors most affected.
- Automated threats were responsible for 30% of API attacks in 2023, with 17% involving bad bots that exploit business logic vulnerabilities in APIs. These vulnerabilities allow attackers to manipulate legitimate functionality and access sensitive data or user accounts.
- For the second consecutive year, the Gaming industry saw the largest proportion of bad bot traffic at 57.2%. Retail (24.4%), Travel (20.7%), and Financial Services (15.7%) also faced significant bot attacks. Advanced bad bots, which closely mimic human behaviour and evade defences, were most prevalent on Law & Government (75.8%), Entertainment (70.8%), and Financial Services (67.1%) websites.
- Bad bot traffic originating from residential ISPs grew to 25.8%. These bots often masquerade as mobile user agents, which accounted for 44.8% of all bad bot traffic last year, up from 28.1% five years ago. Using residential or mobile ISPs, these sophisticated bots evade detection by appearing to originate from legitimate, ISP-assigned residential IP addresses.
Bots are increasingly dominating online spaces. For instance, during the incident when a Chinese spy balloon traversed the US and Canada, tens of thousands of bots engaged on the social media platform X, attempting to influence public discourse.
Researchers at Carnegie Mellon University, Kathleen Carley and Lynnette Hui Xian Ng, tracked nearly 1.2 million tweets from over 120,000 users discussing the balloon. Utilising Twitter’s location feature and the BotHunter algorithm, they identified significant bot activity, with about 35% of US-geotagged users exhibiting bot-like behaviours. In China, the proportion of bots was even higher at 64%.
Singh said: “Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organisations approach building and protecting their websites and applications.
“As more AI-enabled tools are introduced, bots will become omnipresent. Organisations must invest in bot management and API security tools to manage the threat from malicious, automated traffic.”
Interested in hearing leading global brands discuss subjects like this in person? Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.