In 2020, Imperva saw the highest percentage of bad bot traffic (25.6%) since 2014, while traffic from humans fell by 5.7%. More than 40% of all web traffic requests originated from a bot last year, suggesting the growing scale and widespread impact of bots in daily life.
Advanced Persistent Bots remained the majority of bad bot traffic over the past year, amounting to 57.1%. These bots are responsible for high-speed abuse, misuse and attacks on websites, mobile apps and APIs. They closely mimic human behavior and are harder to detect and stop, presenting a unique challenge for organizations that want to mitigate downtime, reduce bandwidth consumption and improve experiences for legitimate human customers.
In addition, this breed of bots create havoc for organizations through price scraping, content scraping, account creation, account takeover, fraud, denial of service and denial of inventory.
In the past year, telecom and ISPs experienced the highest proportion of overall bot traffic (45.7%), often the result of bots involved in account takeover or competitive price scraping.
Meanwhile, the travel industry saw the greatest percentage of sophisticated bad bot traffic (59.7%) while government sites also experienced an increase, with bots involved in account takeover, data scraping of business registration listings and voter registration.
Bots target COVID-19 vaccine appointment sites
There was a 372% increase in bad bot traffic on healthcare websites since September 2020. More recently, as vaccines became available to more age groups, bot activity was recorded at rates of 12,000 requests per hour.
For health systems, pharmacies and retailers involved in the vaccine rollout, bots could disrupt the supply chain by polluting the network and make it harder for legitimate users to access appointment scheduling services.
Scalper bots took advantage of the global pandemic
Throughout 2020, scalper bots were used to stockpile commodities. At the beginning of the year, bots were used to hoard large inventories of face masks, sanitizers, detergents, home workout equipment and more.
Mobile browsers became a focus for bots
The percentage of bad bots disguised as mobile browsers grew to 28.1% last year, up from 12.9% in 2019. There was also a continued growth in the number of attacks launched from mobile ISPs in 2020, a trend that continued for a fourth consecutive year. It shows that bots are evolving their methods to more closely mimic human behavior.
Bots involved in account takeover fraud
Businesses with a login page on their website are under continuous credential stuffing and credential cracking attacks. In 2020, 34% of all login attempts originated from malicious bots. This is a particular concern for industries like computing & IT, travel, retail, financial services, entertainment, telecom & ISPs and healthcare.
Grinch Bots made millions from hoarding gaming hardware
Scalpers plagued the gaming hardware market in late 2020 around the holiday shopping season. Bad bot traffic to retail websites globally rose 788% between September and October 2020. The timing is no coincidence, and aligned perfectly with pre-order dates for new gaming consoles.
The result left many gamers frustrated as gaming consoles, GPU or CPU devices became practically impossible to purchase online while bots hoarded the inventory and resold the goods for a profit.
Even good bots present a threat
The percentage of good bot traffic grew by 16% over the past year, and that’s a reason for concern. When a site is polluted with any kind of bot traffic, it slows web performance and makes it harder for legitimate users to access the information or services they need.
Good bots can also skew web analytics reports, making some pages appear more popular than they actually are, resulting in lower performance for advertisers.
The US is both the most attacked nation and largest host of bad bots
For a seventh consecutive year, the U.S. was the most attacked nation by bad bots (37.2%) with China (8.3%) and the United Kingdom (6.9%) following behind. Interestingly, bad bots were often launched from the same country they were targeting; the U.S. is the leading country where bad bots are hosted (40.5%).
“As we’ve monitored over the past eight years, bad bots continue to ravage the Internet, while attack characteristics are becoming more advanced and nuanced over time,” says Edward Roberts, Director of Strategy, Application Security, Imperva.
“Throughout the past year and during a global pandemic, bad bots have thrived by targeting new markets and the impacts are now felt by everyday consumers. The Grinch Bot disruption to the gaming hardware industry in late 2020 is one example of what happens when bots go unchecked and cause denial of inventory.
“Bad bots must be a top concern for businesses and security practitioners in 2021 as the problem is likely to grow. Organizations must take proactive action to secure their websites, applications and APIs from these threats as bots are increasingly involved in fraudulent activity that can be a source of reputational and financial damage.”