The 2022 Imperva Bad Bot Report is now available. The report is the ninth annual in-depth analysis of bot traffic, created with data collected from Imperva’s global network throughout the past year by the Imperva Threat Research Team.
Bad bots are software applications that run automated tasks with malicious intent over the internet. They are behind some of the most common business problems today, including web scraping, scalping, online fraud, and more.
The bot problem is getting worse, as bad bot traffic maintains its upwards trend, amounting to 27.7% of all website traffic in 2021.
Key findings from the 2022 Imperva Bad Bot Report:
- Bad bot traffic levels set yet another record. Increasing by 2.1% from the previous year, bad bot traffic now accounts for 27.7% of traffic. Good bot traffic has slightly decreased, by 0.6%, amounting to 14.6% of all traffic. As human traffic levels return to pre-pandemic levels, it is reflected within the makeup of traffic compared to good and bad bots. Human traffic decreased by 2.5% from last year to 59.2% of all traffic.
- Evasive bots are on the rise, as they now account for 65.3% of all bad bots. These are moderate or advanced bots that use a mix of technologies and methods to evade detection while maintaining persistence on target sites. They tend to use a variety of techniques that mimic human-like behavior, such as emulating mouse movements, cycling through random IP addresses, entering through anonymous proxies and peer-to-peer networks, and changing their user agents.
- Account takeover fraud increased 148% in 2021. Account takeover is not only the most common form of online fraud, but it is also the most common bot attack. Concerningly, its popularity is steadily increasing – the Imperva Threat Research Team has recorded a significant increase in account takeover attacks during the past year. This type of bot attack involves bad actors utilizing automation (aka bad bots) to obtain illegal access to user accounts belonging to someone else. It is essentially the digital version of identity theft. The industries targeted most frequently were Financial Services, Travel, Business Services, and Retail. But really any online business with a login form is at risk of being targeted, whether it is just for credentials validation or for the financial incentive behind user accounts.
- The shift to mobile persists, as 35.6% of bad bots reported themselves as mobile user agents. According to Statista, “Mobile accounts for approximately half of the web traffic worldwide. In the fourth quarter of 2021, mobile devices (excluding tablets) generated 54.4 percent of global website traffic…” And because bad bots tend to mimic human behavior, following their traffic patterns is vital. This is leading to a consistent increase in bad bots reporting themselves as mobile browsers. Particularly interesting was the rise in bad bots reporting themselves as Mobile Safari. One speculation is that the improved user privacy settings now offered by this browser are helping bad bots – allowing them to mask their behavior which makes them even harder to detect than they already are.
- Appointment scheduling is the latest revenue generator targeted by bad bots. It appears that targeting products and services in high demand doesn’t end with concert tickets, sneakers, gaming consoles, and other collectors’ items. In fact, wherever there is profit to be made because people are willing to pay extra just to skip the line – bots will be there to capitalize. Government services appointments are the latest target of bad bot operators. With social distancing and stay at home orders causing severe interruptions and shutdowns of government services in the first months of the pandemic, and partially due to a lack of manpower in some places – a bottleneck has been created, leading to long wait times spanning several months to even a year in some cases. Services from visa or passport applications and renewals to driving tests are just a few examples. With appointments now being scheduled online, it makes them a perfect target for bad bots. Just as it was with the new generation of gaming consoles, bad bots are now being deployed on these government appointment booking endpoints. They schedule all available appointments for the purpose of then selling them to the highest bidder. In France for example, visa appointments have been sold at prices up to €400. Imperva recently mitigated such attempts from third-party providers attempting to scrape a driver’s test booking domain to find available appointments for paying clients.
- Bots capitalize on HEERF Student Financial Aid Grant. In a recently uncovered online scam, fraudsters have been using bots to create fake student accounts. These fake accounts are then enrolled in online classes, essentially denying legitimate students from participating in those classes. This is also known as “New Account Fraud” and is referred to by the OWASP as OAT-019 Account Creation. But as nefarious as denying legitimate students from accessing courses is, the real goal was truly fraudulent – to mass create fake student accounts in order to obtain the financial aid offered to students. Several colleges have been investigating this potentially widespread fraud, while Imperva has also uncovered and mitigated such activity.
Imperva stops bad bots and reduces the risk of automated fraud
As online fraud generated from bot attacks grows in frequency and complexity, a growing number of organizations are making investments in proper bot management.
A Leader in The Forrester Wave™: Bot Management, Q2 2022 – Imperva offers bot management that is as adaptable and vigilant as the threat itself. Our Advanced Bot Protection solution is capable of mitigating the most sophisticated automated attacks, including every OWASP automated threat – from web scraping and scalping, to account takeover and transaction fraud. It leverages superior technology to protect all potential access points, including websites, mobile applications, and APIs, providing you with various response options for bots. And most importantly, it does so without imposing unnecessary friction on legitimate users, maintaining the flow of business-critical traffic to your applications.
Flexible deployment options include:
- Imperva’s WAAP (Web Application and API Protection) stack, including our best-of-breed CDN, WAF, DDoS, API Security, and Advanced Bot Protection working together.
- Full integration with WAF Gateway (Version 14.4 onwards – learn more).
- Available connectors for F5, NGINX, Fastly, Cloudflare, and AWS lambda users.
Imperva Advanced Bot Protection is part of the market-leading Imperva Web Application & API Protection (WAAP) solution. Start your Application Security Free Trial today to protect your assets from automated threats.
Try Imperva for Free
Protect your business for 30 days on Imperva.