Almost half the traffic on the internet to commercial websites are ‘bad bots’ bent on fraud and the retail industry is particularly vulnerable a study has shown.
Bad bots are software applications that run automated tasks with malicious intent and they are typically used for account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items, says the 2022 Imperva Bad Bot Report.
The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
In 2021, Germany (39.6%), Singapore (39.1%), and Canada (30.2%) experienced the highest volumes of bad bot traffic, while the United States (29.1%) and United Kingdom (29.7%) were also higher than the global average (27.7%) of bad bot traffic.
35.6% of bad bots hide as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
Bad bots are often the first indicator of online fraud and represent a risk to digital businesses, as well as their customers. In 2021, evasive bad bots — a grouping of moderate and advanced bad bots that elude standard security defences — made up 65.6% of all bad bot traffic. This breed of bot uses the latest evasion techniques, including cycling through random IPs, entering through anonymous proxies, changing identities, and mimicking human behaviour to evade detection.
Bad bots enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Successful attacks can lead to the theft of personal information, credit card data, and loyalty points. For organisations, automated abuse and online fraud contributes to non-compliance with data privacy and transaction regulations. Bad bot traffic is rising at a time when organizations are investing in improving customer experiences online. It’s resulted in more digital services, new online functionality, and the development of expansive API ecosystems. Unfortunately, this array of new endpoints is a ripe target for automated attacks by bad bot operators.
“Businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, and degraded online services,” says Ryan Windham, Vice President, Application Security, Imperva. “With automated fraud growing in intensity and complexity, advanced bot protection is essential for preventing the growing threat digital businesses and consumers face from bad bots.”