ITEM: Well over a third of internet traffic in Asia-Pacific isn’t generated by humans, but by bots. Most of them are bad bots out to take over your account, defraud you or crash your website. And the problem is getting worse.
That’s according to the latest bot report from security firm Imperva, which says that 42.3% of global internet traffic in 2021 originated from bots rather than humans. In Asia-Pacific, bots account for 37.7% of internet traffic. Which wouldn’t be so bad except that in all countries and all regions, the majority of bot traffic is malicious.
‘Bad bots’ are software applications that run automated tasks enabling high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Successful attacks can lead to the theft of personal information, credit card data, and loyalty points.
And they’re everywhere, says Imperva. According to the report, bad bots accounted for 27.7% of all global internet traffic in 2021, up from 25.6% the previous year. APAC was slightly lower, with malicious bots accounting for 25.9% of website traffic last year.
The report adds that some countries have more of a bot problem than others – of five APAC countries studied, Singapore had the highest proportion of malicious bot traffic last year at 39.1%, followed by China (38.6%) Australia (25.7%), New Zealand (20.3%) and Japan (16.9%).
It gets worse – while some bots are relatively simple and not hard to fend off, others are becoming increasingly sophisticated. So-called ‘evasive’ bots elude standard security defenses by using the latest evasion techniques such as cycling through random IPs, entering through anonymous proxies, changing identities, and mimicking human behaviour. More advanced bots produce mouse movements and clicks that fool even sophisticated detection methods, mimic human behaviour and are the most difficult to stop.
These accounted for 65.6% of global bad bot traffic, and over 71% of APAC traffic. Except for Singapore, most APAC markets are being targeted by these types of bots, especially China and Australia, says Reinhart Hansen, Director of Technology of Office of the CTO at Imperva:
“Digitally mature nations such as China and Australia have more businesses and consumers transacting online,” says Hansen. “This makes them rich targets for cyber criminals. As digital maturity grows, bot operators are using more sophisticated scripts that can evade the common defenses.”
The three most common attacks were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items.
More findings (from the release):
- Account takeover increased 148% in 2021: In 2021, 64.1% of ATO attacks used an advanced bad bot. Financial Services was the most targeted industry (34.6%), followed by Travel (23.2%). The United States was the leading source of ATO attacks (54%) in 2021. The implications of account takeover are extensive; Successful attacks lock customers out of their account, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
- Travel, Retail and Financial Services targeted: The volume of attacks originating from sophisticated bad bots was most notable across Travel (34.2%), Retail (33.8%), and Financial Services (8.8%) in 2021. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
- 35.6% hide as mobile web browsers: Mobile user agents were a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behaviour, making them harder to detect.
The risks for enterprises are (or should be) fairly obvious, the report says:
Bad bot traffic is rising at a time when organisations are investing in improving customer experiences online. It’s resulted in more digital services, new online functionality, and the development of expansive API ecosystems. Unfortunately, this array of new endpoints is a ripe target for automated attacks by bad bot operators.
The report adds that while some sites might be more attractive than others, or at least more sensational – for example, bot attacks on gaming consoles and vaccine appointment scheduling sites made big headlines last year – the truth is that every industry sector was hit last year, and any level of bot traffic on a website can cause significant downtime, degrade performance, and reduce service reliability.
It also runs the increased risk of non-compliance with data privacy and transaction regulations as automated abuse and online fraud become more prevalent, says Hansen:
“Businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, and degraded online services.”
The full report is available here.