Thales Blog

The Rise of the Bad Bots

April 23, 2024

Erez Hasson Erez Hasson | Senior Product Marketing Manager, Imperva More About This Author >

Imperva's annual Bad Bot Report is always a fascinating – albeit alarming – insight into the nature of non-human internet traffic. The 2024 Imperva Bad Bot Report is no different, revealing that bots made up nearly half (49.6%) of all internet traffic last year. While this individual statistic is astounding, it is only the tip of the iceberg. The report analyzes the bad bot threat landscape across industries, sophistication levels, origin, and more. Here are five key takeaways from

Bad Bot Traffic Over Time

Contrary to what we might expect, bad bot traffic has increased inconsistently over the years. In 2013, when Imperva first launched the Bad Bot Report, bad bots comprised 23.6% of internet traffic, while good bots accounted for 19.4% and human traffic for 57%. However, by 2015, bad bot traffic had fallen to its lowest historical level of 18.6%, mainly due to increased human traffic from China, India, and Indonesia. This trend remained constant from 2016 to 2018. From 2018 to 2023, bad bot traffic increased dramatically, rising from 20.4% in 2018 to an all-time high of 32% in 2023.

Why has Bad Bot Traffic Increased?

According to the report, this could be attributed to the rise in popularity of generative AI, particularly when it comes to simple bots. Generative AI technology uses web scraping bots and automated crawlers to feed its training models while enabling nontechnical users to write automated scripts for personal use. As a result, the ratio of automated traffic on the internet has risen once more. However, because these are simple types of automation, the rise has mainly manifested in the ratio of simple bad bots, increasing from 33.4% in 2022 to 39.6% in 2023.

How Sophisticated are Bad Bots?

Despite the rise in simple bad bots, sophisticated bad bots remain a top concern as bot programmers continue to hone their techniques and improve evasiveness. Evasive bad bots (the combination of advanced and moderate sophisticated bot traffic levels) still made up 60.5% of all bad bot traffic in 2023. Although this is a slight decrease from the previous year, it's clear that bad bot traffic remains highly sophisticated, posing a real challenge for organizations across all sectors.

Bad Bots Affect All Sectors

The gaming industry suffers most from bad bot traffic, with 57.2% of traffic generated by bad bots. Bad bots are so prevalent in the gaming industry because users use them to cheat – for example, performing high-speed interactions that would be impossible for human players. Cheating this way can discourage legitimate players from playing games, resulting in lost revenue.

However, while gaming suffers most from bad bots, the law and government sectors suffer from the most advanced ones. 75.8% of the sector's bad bot traffic comes from advanced bots, compared to gaming's 45.9%. This is significant because advanced bot traffic poses a substantial risk even at low volumes, as advanced bad bots can achieve their goals with fewer requests than simpler bad bots and are much more persistent in staying on their designated target.

It is crucial to recognize that various industries are threatened by bad bots in distinct ways. Although some bad bot use cases, such as content scraping and account takeover, are prevalent across different sectors, others, like scalping, usually impact specific industries like online retail and entertainment (ticketing). Certain industries, such as airlines, have unique use cases, such as 'seat spinning' attacks.

Bad Bots Targeting APIs

Automated threats accounted for 30% of attacks on Application Programming Interfaces (APIs) in 2023, 17% of which were bad bots exploiting business logic vulnerabilities. These attacks exploit flaws within an application's design and implementation, allowing attackers to influence legitimate functionality to access sensitive data or user accounts. While 13% were other automated threats, APIs are particularly susceptible to bot attacks because they are machine-readable and act as direct pathways to sensitive data.

Bots pose a significant threat to businesses of all shapes and sizes. The increased use of generative AI will likely result in increased automated traffic, overtaking human traffic in the coming years.

You can read the full bad bots report here for more insights on the automated traffic landscape and recommendations on protecting your business.