Bad Bot Traffic Report: Nearly half of all internet traffic in 2021 was non-human

The 2022 Report on Imperva’s bad bots has some eye-opening results, with the main take being that bad bot traffic is getting close to overtaking human activity on the internet.

Traffic from bots accounted for 42.3% of all internet activity in 2021, up from 40.8% in 2020. Traffic from bad bots is nearly double that from so-called “good bots” that perform legitimate functions such as indexing and automatic replies.

After a hiatus of several years, bad bot traffic is on the rise again

Bot traffic last surpassed human traffic on the internet in 2014, the year this annual Imperva study began. The majority increase in human traffic that followed, sometimes as high as 62%, was due in large part to the significant suppression of malicious bots (those that operate with malicious intent). These pesky bots are on the rise again since 2019, however, they now far outnumber their “good” counterparts and threaten to dominate the internet once again.

As the report notes, there is a direct correlation between malicious bot activity and cybercrime rates. Malicious bots are typically the first element of an attack plan, whether it’s surveillance of a target network or attempts to compromise accounts. Other functions that qualify for malicious bot status include retail item scalping, content scraping from websites, distributed denial of service (DDoS) attacks, and “inventory denial” schemes where hot items are locked in virtual shopping carts to manipulate prices or deny sales to competitors.

Bad bots have become quite advanced over the last decade, blending with good bot traffic to evade detection and in some cases employing very sophisticated techniques to mimic human activity. More advanced bots can use modified web browsers, mimic human-like mouse movements and clicks, regularly change IP addresses, and take time to appear more like a legitimate end user. These particular bots, called the “evasive” class, are now the majority of bad bot traffic at 65.6%.

Bad bot traffic also tends to fluctuate throughout the year, peaking in December when threat actors attempt to capitalize on holiday shopping. This continued to be the case with malicious bot traffic accounting for 30% of all internet activity in December 2021, up from 24% at the start of the year.

Some industries are also highly targeted and experienced substantial increases in malicious bot traffic in 2021. More sophisticated bots have increasingly turned their attention to travel, retail, automotive, educational, and government websites.

There is also a large regional disparity in bot traffic. The US is the overwhelming favorite for bad bots, attracting 43.1% of their attacks. The next most frequent target is Australia at 6.8%.

Bot traffic is increasingly going towards account takeover attempts

Much of the increase in malicious bot traffic comes from account takeover activities. These range from classic “brute force” attacks that sequentially try passwords listed in a dictionary file, to the “credential stuffing” variant that uses only compromised logins drawn from data breaches. These types of attacks have increased by 148% in 2021, and over 65% of them now use an “evasive” form of advanced bad bot to bypass automated defenses.

Some countries that aren’t among the most targeted by overall bot traffic are among the most frequently subject to account theft attempts: Singapore, France, Puerto Rico, and Chile all top the list just behind the United States. Financial services and travel sites are also targeted by these types of attacks more than any other industry, more than double the next category on the list (business services); the more advanced bots show a strong preference for travel and retail sites. The problem is still heavily biased towards the US, however, with 22% of the country’s residents (over 24 million households) now estimated to have experienced account theft at some point.

The report finds that malicious bot traffic overall is growing in frequency, complexity and intensity. Imperva says the largest bot attack it has ever recorded occurred in January 2022, using over 400,000 IP addresses to flood a job posting website with 400 million login attempts over an extended period. Bad bots are also finding new avenues of attack, such as enrolling in colleges in an attempt to scam them out of grants and financial aid.

There are no indications that this problematic bot traffic is slowing down, remaining a short-term security concern for organizations. John Gunn, managing director of Tokensuggests that using passwordless alternatives is critical: “Account takeover via stolen credentials remains the #1 threat to every organization, and bots automate and expedite this process. Strong, effective, and cost-effective biometric authentication is essential to ensure safety”.

There is a direct correlation between #badbot activity and #cybercrime rates. Malicious bots are usually the first element of an attack plan, whether it’s #surveillance of a target network or attempts to compromise accounts. #cybersecurity #respect dataClick to tweet

Garret Grajek, CEO of You testify, suggests that organizations can take a more immediate step in addressing identity governance policies: “It should alarm anyone involved in IT that 28 percent of global web traffic management resources will be trafficking bots. Traffic harmful by nature, as denial of service is one of the pillars of the CIA principle: confidentiality, integrity and availability. Businesses need to realize that this traffic is ongoing and its content is malicious in nature. And because many of the bots carry traffic that will ultimately result in scans and vulnerability assessments, a business needs to beef up its defenses. Given that over 65% of attacks will end up using weakened credentials, an identity governance policy is critical.”