The 2023 Imperva Bad Bot Report – Rise of the bots
Stand and deliver! your money or… well, just your money.
|
Getting your Trinity Audio player ready...
|
• The tenth annual Imperva Bad Bot Report shows a significant rise in malicious bots.
• Civilians are resorting to using bots themselves.
• Bad bots are being used to hold sought-after products and events hostage.
In 2023, human beings account for just over half of all internet traffic. The other 47% is the province of bots – software programs designed to do specific tasks, which not only hold the internet as we think we know it together, but also define what it looks like and how it works from a human perspective.
Bots are for the most part invisible to everyone but coders and programmers, and they’re designed to be silent servants of the internet. But the tenth annual Imperva Bad Bot Report has revealed that so-called “bad bots” – bots programmed with the intent to make things fail, or make things work in favor of bad actors at the expense of individuals and companies – are causing more harm than they’ve ever done before.
What does that look like?
- It looks like account take-over (ATO) attacks up by 155% year-on-year.
- It looks like evolved, smart bots faking Covid referral appointments to get you to give them details and data.
- It looks like whole industries – particularly travel and retail – hit by over 20% of all bot attacks each in 2022/23.
It looks like a plague of bots that can be anything from irritating and obvious to subtle and business-crippling.
Given the potential damage that bad bots can do, we sat down with Peter Klimek, Director of Technology, Officer of the CTO at Imperva, to talk through the implications of this rising swarm of malicious bots, and the people behind them.
THQ:
Bad bots. What are they? Who’s behind them? Why do they exist? Why should people care about them?
PK:
The simplest definition is that, as you say, bad bots are software programs that exist on the internet, and they have been given malicious instructions – so all they do is make the internet worse for people.
THQ:
Example?
PK:
They’ll go and they’ll scrape websites for data without permission. They’ll do things like purchasing in-demand goods to drive up prices, which the bad actors behind them can then benefit from.
If no-one in the US knew about bad bots before, they certainly know about them now, after seeing all of Taylor Swift’s tickets get sold out immediately. Of course, in that case, it wasn’t just bad bots, it was high demand too.
Do bad bots rock to electric Taylor? No, they’re all about the money. Source: Suzanne Cordeiro/AFP
But at the same time, this is what bad bots will typically target – they’ll look for different opportunities to make money. Or in certain instances, they’ll scan for vulnerabilities on the internet. Eighteen months ago, there was a lot of talk about the Log4J vulnerability, and when that first hit, bots were the ones that were going out and probing for those targets.
Imperva Bad Bot Report: good bots and bad bots.
But above and beyond that, bad bots can even do things like shape public opinion. There’s quite a bit that bad bots can do.
And in the most recent Imperva Bad Bot Report, we discovered that bad bots account for 30.2% of internet traffic, which is up 2.5% over last year.
Of course, it’s important to say that while there are lots of these bad bots, there are good bots too. Good bots are things like the Google search index, or the Google search crawler.
These are bots that go out and are designed to serve us, they have legitimate business usages. Fetcher bots are another example – every time you post something on LinkedIn, or Twitter, or Facebook, or Instagram, it needs to go and fetch a bit of information – the headline, the cover photo, and so on.
Now, this year, we’ve found that good bot traffic is also up.
THQ:
So – more bots all round, in both white hats and black?
PK:
Right. Good bots now make up around 17.3% of the internet – also up around 2.5% year-on-year. If you add that all together, humans make up around 52.6% of the internet – which is a decline of 5.1% year-on-year.
THQ:
As someone who spends their entire working life adding human-created content to the internet, there’s something deeply depressing about that statistic.
PK:
Ha. It’s interesting, to be sure.
If it helps, as this was our tenth Imperva Bad Bot Report, we were able to take a look back at trends over time. For a while there, the internet was around half bad bots or half bots in general, then the numbers started to even out as more and more people came online, specifically when more people came online in India and Southeast Asia.
THQ:
But now the bots are on the rise again.
PK:
Yeah.
Imperva Bad Bot Report: reasons for the rise.
THQ:
Not to be basic, but… why?
PK:
Ha. Great question. There’s no one answer, unfortunately. But ultimately, there’ve been a couple of big shifts over the last few years.
First and foremost, more commerce shifted online. More people came online, more businesses started reaching people online. Ultimately, that was a really big driver of it as a whole.
THQ:
More people in the water equals more sharks?
PK:
Exactly. And over the last few years, we saw accelerations of that, specifically because of the pandemic, and the supply chain crunches of a couple of years ago.
Those things had major impacts on bots, because bots were in a really good position to take advantage of that. They were able to go and basically buy all of those highly coveted goods.
In the US, when we were coming out of lockdown, you still had reduced attendance or reduced availability of certain things. Even something as simple as a yoga class. Bots were online, snatching up all the yoga classes.
THQ:
And we’re pausing just briefly to savor that image.
PK:
Stick with me, the next bit’s weird. As bots snapped up all the things people wanted… what do you think people did?
THQ:
Well, we want to say they raised a people’s army, grabbed torches and pitchforks and smashed the internet to tiny pieces at their feet, but we feel we would probably have heard about that on the news.
PK:
They figured out that ultimately, if they wanted to go and get a good or something that was really highly sought-after, they themselves had to turn to bots to do it.
THQ:
There are times, and they are many, when humanity feels like a failed experiment.
PK:
So in the last few years, we’ve seen the emergence of something that we call Bots-as-a-service.
THQ:
Because we’re all about that BaaS…
PK:
It’s the embodiment of the old adage, “If you can’t beat them, join them.” People that were trying to find a PS5 and weren’t able to get one were turning to bots to try to acquire these sought-after goods. So this is part of the broader trend, where we’re seeing more and more bots come online on the internet.
Imperva Bad Bot Report: bad bots versus bad bots?
THQ:
Quick follow-ups there. Do the bots that the civilians use fall into the category of being bad bots, or are they good bots with good intentions?
PK:
Ha – intent’s interesting, but in the Imperva Bad Bot Report, we would consider them to be bad bots, because they’re essentially doing the same thing as the original bad bots.
THQ:
And just to make this clear, the bots are buying things up – so there are real humans controlling the bots, who are paying market price for the items, then re-selling them at way over the odds, right?
PK:
Yep. In the classic example, Nike have a highly coveted brand for their shoes and sneakers and other clothing. They do very limited drops of clothing and merch. That means there’s become this whole market where bots are effectively trying to buy up all the inventory. And then they turn around and resell it at five times the markup.
So in a lot of instances, the vendor themselves is still actually selling the product, and they shouldn’t care necessarily. But at the end of the day, what we find is that it does actually have an impact on those companies as well – they have to deal with upset consumers.
Bot buyers – faster than you are.
They have to deal with all sorts of other things in terms of the bandwidth that’s associated with the bots. The bots are pretty indiscriminate in the amount of bandwidth that they launch against the sites. And so it can be very costly, servicing traffic that’s not actually going to a human eyeball.
THQ:
As you say, the reputational damage can be severe – with the Taylor Swift case, a leading ticket-selling site got absolutely slated, because fans thought “What are we doing this for? What’s the point of trying to get this stuff, if as soon as it’s available, it’s crashed, because there’s all this traffic that wants it?”
PK:
That’s exactly it. There have been several of these occurrences over the years where I think people have had their eyes really opened to the impact of bad bots on the internet, and how we understand that it should work.
I’m a gamer, and I work for a cybersecurity company – we deal with bad bots on a daily basis – and I can’t get a PS5 myself!
Got a PS5 yet? Talk to the bad bot, and prepare to sell a kidney. Source: Anthony Wallace/AFP
THQ:
You need to get a bot on the case…
In Part 2 of this article, we’ll turn our attention to the damage bad bots can do to APIs, and to companies that come under bot attack.
Never underestimate the impact of a bot gone bad…
5 March 2024
