Bad Bots, bad bots, whatcha gonna do?
After Elon Musk announced his intent to purchase Twitter, there were several concerns about how the takeover will affect the popular social media app. However, before the deal can close, Musk wants Twitter to provide public proof that less than 5% of its accounts are bots.
While these bots refer to automated accounts that can manipulate experience and even sales revenue, they are not as problematic as bad bots. In fact, Facebook deleted 6.5 billion fake user accounts in 2021 alone, most of which being social media bots.
As such, it is not surprising why Musk wants to get a confirmation from Twitter before making the deal. From scraping data from sites to gain a competitive edge to snatching the latest games console or concert tickets, bots are plaguing the internet and can cause serious damage.
Of course, there is no denying that are good bots as well. A good bot performs useful or helpful tasks that aren’t detrimental to a user’s experience on the Internet.
When it comes to bad bots, they enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Successful attacks can lead to the theft of personal information, credit card data, and loyalty points.
According to the 2022 Imperva Bad Bot Report, bad bots accounted for a record-setting 27.7% of all global website traffic in 2021, up from 25.6% in 2020. The three most common bot attacks were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items.
When it comes to digital businesses, bad bots are often the first indicator of online fraud and also represent a risk to customers. In 2021, evasive bad bots — a grouping of moderate and advanced bad bots that elude standard security defenses — made up 65.6% of all bad bot traffic. This breed of bot uses the latest evasion techniques, including cycling through random IPs, entering through anonymous proxies, changing identities, and mimicking human behavior to evade detection.
For organizations, automated abuse, and online fraud contribute to non-compliance with data privacy and transaction regulations. Bad bot traffic is rising at a time when organizations are investing in improving customer experiences online. It’s resulted in more digital services, new online functionality, and the development of expansive API ecosystems. Unfortunately, this array of new endpoints is a ripe target for automated attacks by bad bot operators.
The report also showed that account takeover had increased by 148% in 2021, with financial services the most targeted industry. The implications of account takeover are extensive as successful attacks lock customers out of their accounts, while fraudsters gain access to sensitive information that can be stolen and abused.
Interestingly, travel, retail, and financial services witnessed a notable volume of attacks originating from sophisticated bad bots. These industries remain a prime target because of the valuable personal data they store behind user login portals on their websites and mobile apps.
In the Asia Pacific, Singapore experienced the highest volume of bad bot traffic. Globally, Singapore was just slightly behind Germany on the global average. The United States and the United Kingdom were also higher than the global average of bad bot traffic.
Another interesting highlight from the report showed mobile user agents being a popular disguise for bad bot traffic in 2021, accounting for more than one-third of all internet traffic, increasing from 28.1% in 2020. Mobile Safari was a popular agent in 2021 because bots exploited the browser’s improved user privacy settings to mask their behavior, making them harder to detect.
“Businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, and degraded online services,” commented Ryan Windham, Vice President, Application Security, Imperva.
Windham also pointed out that with automated fraud growing in intensity and complexity, advanced bot protection is essential for preventing the growing threat digital businesses and consumers face from bad bots.