Automated and malicious traffic increases by over 20% YoY
Asp per Imperva, a Thales company, data – 2024 Imperva Bad Bot Report, nearly half of all global internet traffic came from bots in 2023 – the highest level Imperva has reported since it began monitoring automated traffic in 2013. For the fifth consecutive year, the proportion of global web traffic associated with bad bots rose, reaching 32% in 2023, up from 30.2% in 2022, while traffic from human users decreased to 50.4%.
“With attackers increasingly exploiting API vulnerabilities and lapses in business logic guardrails, a proactive stance is essential to prevent data breaches, account takeovers, and large-scale data theft.”
Reinhart Hansen, Director of Technology, Asia Pacific and Japan, at Imperva, a Thales company
Australia remained in the top three countries targeted by bad bots, representing 8.4% of all bot attacks globally; ranking third behind the USA and the Netherlands. Bots (good and bad) now make up 36.4% of the country’s total internet traffic, underscoring that businesses across the nation still face a threat from malicious and automated traffic. Australia’s bad bot traffic grew to 30.2% in 2023, an increase of 23.2% year-on-year (YoY).
Reinhart Hansen, Director of Technology, Asia Pacific and Japan, at Imperva, a Thales company, stressed the criticality of taking proactive steps against bad bots as they grow in sophistication. “With attackers increasingly exploiting API vulnerabilities and lapses in business logic guardrails, a proactive stance is essential to prevent data breaches, account takeovers, and large-scale data theft. From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organisation’s bottom line by degrading online services and forcing more investment in infrastructure and customer support. Organisations in Australia must proactively confront the menace of bad bots as attackers sharpen their focus on API-related abuses that can lead to compromised accounts and data exfiltration,” he added.
Key trends identified in the 2024 Imperva Bad Bot Report include:
- Global average of bad bot traffic grew to 32%: Ireland (71%), Germany (67.5%), and Mexico (42.8%), saw the highest levels of bad bot traffic in 2023. In APAC, Singapore notably experienced a high level of bad bot traffic, accounting for 35.2%, surpassing the global average. In contrast, Japan recorded the lowest level of bad bot traffic at 17.7%.
- Growing use of generative AI connected to the rise in simple bots: Generative AI and large language models (LLMs) technology use web scraping bots and automated crawlers to feed training models, while enabling nontechnical users to write automated scripts for their own use. The rapid adoption of generative AI resulted in the volume of simple bots increasing to 39.6% in 2023, up from 33.4% in 2022. Australia in particular, has a high volume of simple bots (70.6%) – 31% higher than the global average. The industries in Australia with the highest proportion of simple bot traffic are Business (88%), Retail (87%), and Lifestyle (82%).
- The gaming industry continues to experience the highest levels of bad bot traffic:
Globally, for the second year in a row, gaming (57.2%) experienced the highest proportion of bad bot traffic. This trend mirrors the situation in Australia, where bad bots made up 75.19% of all traffic in the gaming industry. The other two industries which experiences the highest proportion of bad bot traffic are Sports (63.38%), and Healthcare (61.23%).
- Account takeover is a persistent business risk: Account takeover (ATO) attacks increased 10% in 2023, compared to the same period in the prior year. Notably, 44% of all ATO attacks targeted API endpoints, compared to 35% in 2022. Of all login attempts across the internet, 11% were associated with account takeover. The industries that saw the highest volume of ATO attacks in 2023 were Financial Services (36.8%), Travel (11.5%), and Business Services (8%).
- APIs are a popular vector for attack: Automated threats caused a significant proportion (30%) of API attacks in 2023 globally. Among them, 17% were bad bots exploiting business logic vulnerabilities—a flaw within the API’s design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts. Cybercriminals use automated bots to find and exploit APIs, which act as a direct pathway to sensitive data, making them a prime target for business logic abuse.
- Bad bot traffic originating from residential ISPs grew to 25.8%: Early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users. Sophisticated actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address. Bad bots masquerading as mobile user agents accounted for 44.8% of all bad bot traffic in the past year, up from 28.1% just five years ago.
“Organisations face substantial financial losses every year due to automated traffic, a concern that cuts across all industries,” notes George Lee, Senior Vice President for Asia Pacific and Japan at Imperva. “Automated bots are on track to outnumber human-generated internet traffic, and with the proliferation of AI-powered tools, their presence is becoming increasingly pervasive. It’s imperative for enterprises to prioritise investment in bot management and API security solutions to effectively combat the threat posed by malicious automated traffic.”