Bots now account for nearly half of all internet traffic globally, with so-called ‘bad bots’ responsible for a third.
According to the 2024 Imperva Bad Bot Report, the proportion of internet traffic generated by bots hit its highest ever level last year, up 2% on the year before. Traffic from human users fell to just 50.4%.
“Automated bots will soon surpass the proportion of internet traffic coming from humans, changing the way that organizations approach building and protecting their websites and applications,” said Nanhi Singh, general manager for application security at Imperva.
“As more AI-enabled tools are introduced, bots will become omnipresent. Organizations must invest in bot management and API security tools to manage the threat from malicious, automated traffic.”
‘Bad bots’ have already taken over in Ireland, where they account for 71% of traffic, and in Germany, where they account for 68%. Mexico, meanwhile, sees 43% of traffic generated by malicious bots, with the U.S. figure standing at 34%.
Generative AI, as you’d expect, is making things worse, with the volume of simple bots increasing to 40% in 2023, up from 33% in 2022.
Meanwhile, account takeover attacks rose by 10% in 2023, with 44% targeting API endpoints, compared with 35% in 2022. In fact, of all login attempts across the internet, 11% were associated with account takeover. The worst-hit industries were financial services at 37%, travel at 12% and business services at 8%.
APIs are a popular vector for attack, with automated threats behind three in ten API attacks in 2023. Of these, 17% were bad bots exploiting business logic vulnerabilities—a flaw within the API’s design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts.
For the second year in a row, gaming has the biggest bot problem, at 57% of traffic. Meanwhile, retail, travel and financial services had the highest volume of bot attacks.
The proportion of advanced bad bots—those that closely mimic human behavior and evade defenses—was highest in law and government at 78%, followed by entertainment at 71% and financial services at 67%.
A quarter of bad bot traffic came from residential ISPs, with residential proxies allowing bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address. Late last year, a report from Lunio found that advertisers are set to waste over $71 billion on traffic generated by invalid activity, including bots and automated scripts—up by a third from from 2022.
“Bots are one of the most pervasive and growing threats facing every industry. From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organization’s bottom line by degrading online services and requiring more investment in infrastructure and customer support,” said Singh.
“Organizations must proactively address the threat of bad bots as attackers sharpen their focus on API-related abuses that can lead to account compromise or data exfiltration.”
