Not every traffic on the internet is a human. Bad bots are software applications that run automated tasks with malicious intent. According to the 2022 Imperva Bad Bot Report bad bots accounted for 27.7% of all global website traffic in 2021, up from 25.6% in 2020.
In Asia Pacific (APAC) bad bots accounted for 25.9% of website traffic in 2021. The three most common bot attacks were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items.
The report noted that Singapore had the highest proportion of bad bot traffic at 39.1%, followed by China (38.6%), Australia (25.7%), New Zealand (20.3%), and Japan (16.9%).
Source: Imperva 2022
Bad bots are often the first indicator of online fraud and represent a risk to digital businesses, as well as their customers. In 2021, evasive bad bots -- a grouping of moderate and advanced bad bots that elude standard security defences by using the latest evasion techniques such as cycling through random IPs, entering through anonymous proxies, changing identities, and mimicking human behaviour -- made up 65.6% of global bad bot traffic.
In APAC, evasive bots were even more prevalent, making up 71.1% of all bad bot traffic. In the region, China has the highest penetration of evasive bots (86.5%), while Australia has the highest penetration of advanced bots (36.3%).
This breed of sophisticated bot produces mouse movements and clicks that fool even sophisticated detection methods, these bots mimic human behaviour and are the most difficult to stop.
Source: IMperva 2022
“Digitally mature nations such as China and Australia have more businesses and consumers transacting online,” says Reinhart Hansen, director of technology in the Office of the CTO at Imperva. He concluded that this makes them rich targets for cybercriminals.
"As digital maturity grows, bot operators are using more sophisticated scripts that can evade the common defences. Organisations need to invest in a solution that spot and manage even the most advanced bots," he continued.
Bad bots enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Successful attacks can lead to the theft of personal information, credit card data, and loyalty points. For organisations, automated abuse and online fraud contribute to non-compliance with data privacy and transaction regulations.
Bad bot traffic is rising at a time when organisations are investing in improving customer experiences online. It’s resulted in more digital services, new online functionality, and the development of expansive API ecosystems. Unfortunately, this array of new endpoints is a ripe target for automated attacks by bad bot operators.
According to Hansen businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, and degraded online services.
“With automated fraud growing in intensity and complexity, APAC organisations need to urgently implement advanced bot protection to safeguard their customers’ interests,” he suggested.
Other findings
Account takeover increased 148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading source of ATO attacks (54%) in 2021.
The implications of account takeover are extensive; Successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
Travel, Retail and Financial Services targeted by bad bots: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021.
These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
35.6% of bad bots hide as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020.
Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
Conclusion
No industry was immune to bad bot activity in 2021. While examples of bots hoarding popular gaming consoles or clogging vaccine appointment scheduling sites made headlines in 2021, any level of bot traffic on a website can cause significant downtime, degrade performance, and reduce service reliability.
As online fraud evolves and attack tools become readily accessible to bad actors, traditional security tools become less effective. The Online Fraud Prevention solution from Imperva combines best-in-class application security products to mitigate bot activity, minimise the costs associated with fraud, and reduce compliance risk -- while contributing to improved customer experiences.
