One cybersecurity firm reports six facets of increased business risks from bot attacks in its 2022 user base metrics.

Based on data collected from the a cybersecurity firm’s global protection ecosystem throughout 2022, which includes six trillion blocked bad bot requests across thousands of domains in 13 countries, six key findings have been published regarding the firm’s experiences with bot attacks and trends last year.

Firstly, bad bots were increasingly sophisticated and harder to detect.In 2022, the proportion of bad bots classified as “advanced” accounted for 51.2% of all bad bot traffic in its global protection ecosystem, compared to the 25.9% in 2021. Advanced bad bots are those that use the latest evasion techniques and closely mimic human behavior: cycling through random IPs, entering through anonymous proxies, and changing identities. In the firm’s Asia Pacific region ecosystem (defined here to include Australia, Indonesia, Japan, New Zealand, the Philippines, Singapore, South Korea, Thailand and Vietnam), the highest proportion of advanced bots (97.9%) were found in the social/communities sector invaded by spam bots, fake-news and comment-spam bots and clickbait malware, followed by advanced bots in the travel (79.8%) and financial services (70.4%).

Next, account takeover (ATO) attacks increased 155% in 2022, with 15% of all 2022 login attempts in the firm’s user base across all industries classified as account takeover. Bad bots were used to facilitate credential stuffing and brute force attacks that had the potential to lock customers out of their account, provide fraudsters with sensitive information, contribute to business’ revenue loss, and increase compliance risks.

Other findings

The remaining key findings include:

    1. Bad bots targeted application programming interfaces (APIs) to abuse business logic and compromise accounts. In 2022, 17% of all API attacks in the firm’s protection ecosystem were by bad bots. A “business logic attack” exploits flaws in the design and implementation of an API or application to manipulate legitimate functionality and steal sensitive data or illegally gain access to accounts. Also, of the ecosystem’s ATO attacks in 2022, 35% specifically targeted an API. When APIs are called programmatically, attackers can easily automate the process of attempting to takeover an account without triggering any alarms.
    2. The highest volumes of bot attacks across the 13 countries were in travel (24.7%), retail (21%), and financial Services (12.7%). Meanwhile, healthcare and law and government sectors in the ecosystem experienced a considerable jump in the volume of bad bot attacks in 2022. Gaming (58.7%) and telecommunications (47.7%) had the highest proportion of bad bot traffic on their websites and applications.
    3. Of the 13 countries in the analysis, seven bad bot traffic levels that exceeded the global average of 30.2%. The top three were Germany (68.6%), Ireland (45.1%) and Singapore (43.1%), while the firm’s users in the US experienced 32.1%.
    4. 20% of bad bots in the data masqueraded as Mobile Safari, up from 16.1% in 2021. It is now clear that the improved user privacy settings offered by this mobile browser were being exploited by bots to mask their behavior, which made them even harder to detect. The use of Mobile Chrome had also increased, accounting for 13.2% of the ecosystem’s attack traffic compared to 11.9% in 2021.

According to Reinhart Hansen, Director of Technology, Imperva, the firm that disclosed its ecosystem findings: “Year-over-year, the proportion of bot traffic is growing and the disruptions caused by malicious automation results in tangible business risks — from brand reputation issues to reduced online sales and security risks for web applications, mobile apps, and APIs.”

Businesses are advised to pay attention to bot attack management and other cybersecurity strategies to identify and stop sophisticated automated attacks — especially those that target APIs and application business logic.