Bad bot traffic increased 6.2% and now represents more than one quarter of all website requests
In 2020, there was highest percentage of bad bot traffic (25.6%), while traffic from humans fell by 5.7%, according to Imperva Research Labs’ 2021 Bad Bot Report. More than 40% of all web traffic requests originated from a bot last year, suggesting the growing scale and widespread impact of bots in daily life.
Advanced Persistent Bots remained the majority of bad bot traffic last year, amounting to 57.1%. These bots are responsible for high-speed abuse, misuse and attacks on websites, mobile apps and APIs. They closely mimic human behavior and are harder to detect and stop, presenting a unique challenge for organizations that want to mitigate downtime, reduce bandwidth consumption and improve experiences for legitimate human customers. In addition, this breed of bots creates havoc for organizations through price scraping, content scraping, account creation, account takeover, fraud, denial of service and denial of inventory.
In 2020, telecom and internet service providers (ISPs) experienced the highest proportion of overall bot traffic (45.7%), often the result of bots involved in account takeover or competitive price scraping. Meanwhile, the travel industry saw the greatest percentage of sophisticated bad bot traffic (59.7%) while government sites also experienced an increase, with bots involved in account takeover, data scraping of business registration listings and voter registration.
Key findings from the report include:
- Bots target COVID-19 vaccine appointment sites: Imperva Research Labs monitored a 372% increase in bad bot traffic on healthcare websites from September 2020 – February 2021. More recently, as vaccines became available to more age groups, Imperva Research Labs recorded bot activity at rates of 25,000 requests per hour. For health systems, pharmacies and retailers involved in the vaccine rollout, bots could disrupt the supply chain by polluting the network and make it harder for legitimate users to access appointment scheduling services.
- Scalper bots took advantage of the global pandemic: Throughout 2020, scalper bots were used to stockpile commodities. At the beginning of the year, bots were used to hoard large inventories of face masks, sanitizers, detergents, home workout equipment and more.
- Mobile browsers became a focus for bots: The percentage of bad bots disguised as mobile browsers grew to 28.1% last year, up from 12.9% in 2019. Imperva Research Labs also observed continued growth in the number of attacks launched from mobile internet service providers (ISPs) in 2020, a trend that continued for a fourth consecutive year. It shows that bots are evolving their methods to more closely mimic human behavior.
- Bots involved in account takeover fraud: Businesses with a login page on their website are under continuous credential stuffing and credential cracking attacks. In 2020, 34% of all login attempts originated from malicious bots. This is a particular concern for industries like Computing & IT, Travel, Retail, Financial Services, Entertainment, Telecom & ISPs and Healthcare.
- Grinch Bots made millions from hoarding gaming hardware: Scalpers plagued the gaming hardware market in late 2020 around the holiday shopping season. Imperva Research Labs found that bad bot traffic to retail websites globally rose 788% between September and October 2020. The timing is no coincidence and aligned perfectly with pre-order dates for new gaming consoles. The result left many gamers frustrated as gaming consoles, GPU or CPU devices became practically impossible to purchase online while bots hoarded the inventory and resold the goods for a profit.
- Even good bots present a threat: The percentage of good bot traffic reached 15.2% in 2020, up from 13.1% in 2019. When a site is polluted with any kind of bot traffic, it slows web performance and makes it harder for legitimate users to access the information or services they need. Good bots can also skew web analytics reports, making some pages appear more popular than they actually are, resulting in lower performance for advertisers.
- The United States is both the most attacked nation and largest host of bad bots: For a seventh consecutive year, the U.S. was the most attacked nation by bad bots (37.2%) with China (8.3%) and the United Kingdom (6.9%) following behind. Interestingly, bad bots were often launched from the same country they were targeting; the U.S. is the leading country where bad bots are hosted (40.5%).
“As we’ve monitored over the past eight years, bad bots continue to ravage the Internet, while attack characteristics are becoming more advanced and nuanced over time,” says Edward Roberts, Director of Strategy, Application Security, Imperva. “Throughout the past year and during a global pandemic, bad bots have thrived by targeting new markets and the impacts are now felt by everyday consumers. The Grinch Bot disruption to the gaming hardware industry in late 2020 is one example of what happens when bots go unchecked and cause denial of inventory. Bad bots must be a top concern for businesses and security practitioners in 2021 as the problem is likely to grow. Organizations must take proactive action to secure their websites, applications and APIs from these threats as bots are increasingly involved in fraudulent activity that can be a source of reputational and financial damage.”