A Decade of Fighting Bad Bots: Key Learnings from the 2023 Imperva Bad Bot Report

-

Automated business logic attacks are on the rise, driven by bad bots that can evade detection while wreaking havoc and enabling online fraud. Bad bots mimic human behavior and abuse business logic, allowing threat operators and fraudsters to perform a wide array of malicious activities. Each year, Imperva analyzes data from our global network to investigate the evolution of automated attacks and the bad bots that drive them, documenting the findings in the Bad Bot Report.

Imperva looked closely at the relationship between bad bots, online fraud and API insecurity and the impact of automated attacks across a variety of industries.

The annual report takes a deep dive into the latest bad bot statistics and trends from the past year, providing meaningful information and guidance about the nature and impact of bots to help organizations better understand the potential risks of unmanaged bot traffic. 

As a leader in bot mitigation, with over 12 years of experience fighting bad bots, this report takes a retrospective look at bots over the past decade. It covers the evolution of malicious automation, including data about the trend of bot traffic throughout the past decade, as well as some of the biggest stories from previous bad bot reports. These statistics and stories have shaped the bad bot threat landscape as we know it today. 

In 2022, nearly half (47.4%) of all internet traffic came from bots, a 5.1% increase over the previous year.

Key findings from the 2023 Imperva Bad Bot Report:

  • Bad bot traffic levels increase for the fourth consecutive year. 30.2% of the internet traffic in 2022 was bad bots, a 2.5% increase from 27.2% in 2021. Good bot traffic levels increased too, accounting for 17.3% of traffic. And while their name might suggest that they are no cause for concern, these good bots can mean trouble too. They can skew web and marketing analytics, making it extremely difficult for organizations to make informed business decisions. 
  • Bad bot sophistication continues to rise, as advanced bad bots account for more than half of bad bot traffic. In 2022, evasive bad bots accounted for 66.6% of all bad bot traffic – a slight increase from the previous year (65.5%). We often group moderate and advanced bad bots together and refer to them as evasive bad bots, because they represent the more “self-conscious” bots, which go to greater lengths to hide their true identity. While the increase isn’t substantial, it is the makeup of evasive bad bots that is alarming, with advanced bad bot levels essentially doubling in proportions at the expense of moderate ones. The proportion of bad bots classified as “simple” has remained relatively in stasis, as they accounted for 33.4% compared to 34.4% in 2021. Put simply, the proportion of evasive bad bots compared to simple bad bots has remained fairly similar, but these evasive bad bots are getting much more sophisticated.
  • APIs are a prime target for bad bots. In 2022, 17% of all attacks on APIs were bad bots abusing business logic, and 21% were other types of automated threats. A business logic attack exploits flaws in the design and implementation of an API or application with the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts. Furthermore, 35% of account takeover attacks recorded by Imperva in 2022 specifically targeted APIs. 
  • The number of account takeover attacks grows, fueled by data breaches. Attacks have grown by 155% between 2021 and 2022. During Q3 2022, we observed a direct correlation between data breaches and account takeover attacks. A reported 70% rise in data breaches across the globe corresponded to a 40% increase in account takeover attacks that were recorded by Imperva at the exact same time. This correlation results from attackers’ attempts to utilize leaked credentials from recently disclosed data breaches before users have time to realize their data has been exposed.
  • Bots masquerading as Mobile Safari accounted for a fifth of all bad bot traffic. This isn’t by chance; we now know that the improved user privacy settings offered by this browser are being exploited by bots to mask their behavior, which makes them even harder to detect. The browser’s user privacy settings limit the number of attributes the browser reports to the origin, thus making bots harder to distinguish from human clients. Bot operators have realized that, and are now abusing this set of features that were designed to benefit the privacy of legitimate users to hide their true identities.
  • Bad bots are a cross-industry, cross-functional problem. Travel (24.7%), Retail (21%), and Financial Services (12.7%) experienced the highest volume of bot attacks. Meanwhile, Healthcare and Law & Government experienced a considerable jump in the volume of bad bot attacks in 2022. Gaming (58.7%) and Telecommunications (47.7%) had the highest proportion of bad bot traffic on their websites and applications. 

The market-leading Imperva Advanced Bot Protection prevents bot operators, attackers, unsavory competitors, and fraudsters from abusing, misusing, and attacking your applications. It safeguards businesses from today’s most sophisticated bot attacks by protecting websites, mobile apps, and APIs against every OWASP automated threat. Advanced Bot Protection embraces a holistic approach, combining the vigilant service, superior technology, and industry expertise needed to enable customers with full visibility and control over human, good bot, and bad bot traffic, offering multiple response options for each. Most importantly, it does so without imposing unnecessary friction on legitimate users, maintaining the flow of business-critical traffic to your applications.Advanced Bot Protection is part of the market-leading Imperva Application Security Platform.

 A.L.

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more

Top Five Most Exploited Vulnerabilities in January 2024

-
Image
In January 2024, cybersecurity faced a remarkable surge in threats, with a focus on exploiting vulnerabilities in technologies from leading vendors. This spike in cyber attacks highlighted the urgent necessity for robust security posture and swift responses to mitigate these vulnerabilities.  Below is an in-depth analysis of the most critical vulnerabilities targeted during January. CVE-2023-46805 and CVE-2024-21887:   CISA Warns Against Ivanti Zero-Day Vulnerabilities On January 19, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding two critical zero-day vulnerabilities discovered in Ivanti products:  CVE-2023-46805 and  CVE-2024-21887.  Assigned CVSS scores of 8.2 (High) and 9.1 (Critical), these vulnerabilities underscore a significant risk to cybersecurity, marked by their capability for arbitrary command execution. This prompted an emergency directive for immediate mitigation within federal agencies, highlighting the...
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especiall...
Read more