Imperva, the cybersecurity leader that protects critical applications, APIs and data, anywhere at scale, has released its 2023 Imperva Bad Bot Report, a global analysis of automated bot traffic across the Internet. In 2022, nearly half (47.4%) of all Internet traffic came from bots, a 5.1% increase over the previous year. The proportion of human traffic (52.6%) decreased to its lowest level in eight years.
For the fourth consecutive year, the volume of bad bot traffic – malicious automated software applications capable of high-speed abuse, misuse and attacks – grew to 30.2%, a 2.5% increase over 2021. The staggering level of bad bot activity across the Internet in 2022 was the highest since the creation of the Imperva Bad Bot Report in 2013. Malicious bot activity is a significant risk for businesses as it can result in account compromise, data theft, spam, higher infrastructure and support costs, customer churn and degraded online services. Collectively, billions (USD) are lost annually as a result.
For the past decade, the annual Imperva Bad Bot Report has provided security and business leaders with useful and practical information about the evolution of bot technology and automated traffic. Imperva documented these annual trends to raise awareness about the business risk associated with bad bot activity.
Key findings from the 2023 Imperva Bad Bot Report:
- Bad bots are increasingly sophisticated and harder to detect. In 2022, the proportion of bad bots classified as ‘advanced’ accounted for more than half (51.2%) of all bad bot traffic. In comparison, the level of bad bot sophistication in 2021 was 25.9%. This is a concerning trend for businesses as advanced bad bots closely mimic human behaviour.
- Account takeover (ATO) attacks increased 155% in 2022. Further, 15% of all login attempts in the past 12 months, across all industries, were classified as account takeover. Cybercriminals use bad bots to facilitate credential stuffing and brute force attacks, as automation can cycle through credentials quickly until successful.
- Targeting APIs to abuse business logic and compromise accounts. In 2022, 17% of all attacks on APIs came from bad bots abusing business logic. A business logic attack exploits flaws in the design and implementation of an API or application for the intent of manipulating legitimate functionality to steal sensitive data or illegally gain access to accounts.
- Travel (24.7%), Retail (21%) and Financial Services (12.7%) continue to experience highest volume of bot attacks. Meanwhile, Healthcare and Law & Government experienced a considerable jump in the volume of bad bot attacks in 2022. Bots are a growing problem for all industries.
- Majority of countries have a bad bot problem. Of the 13 countries analysed, more than half (7) had bad bot traffic levels that exceeded the global average of 30.2%.
- Browser settings disguise bad bot behaviour: One-in-five bad bots used Mobile Safari as their browser of choice in 2022, up from 16.1% in 2021. Updated browsers offer privacy settings that obfuscate bad bot behaviour, making it harder for organisations to detect and stop automated traffic.
“Bots have evolved rapidly since 2013, but with the advent of generative AI, the technology will evolve at an even greater, more concerning pace over the next 10 years,” said Karl Triebes, Senior Vice President and GM, Application Security, Imperva.