Application layer attacks by bad bots continue to rise, says a vendor report, another sign that threat actors are increasingly using automation in their work.
Last year bad bots accounted for 25.6 per cent of application layer website traffic detected by cloud data security provider Imperva, the company said in its eighth annual Bad Bot Report. That’s a 6.2 per cent increase over 2019.
By comparison, in 2015 bad bots made up 18.6 per cent of website traffic, although Imperva admits that because it now has access to more data the figures collected before last year can’t easily be compared to 2002.
Some 57 per cent of bad bots were what Imperva calls advanced persistent bots, sometimes called “low and slow” bots because they stay below request rate limits that trigger security alerts.
“In a year when people were stuck at home during the pandemic and internet usage surged, it is concerning to see that bot operators were also more active than ever and the proportion of automated traffic reached new heights,” the report noted.
The report defines bad bots as software applications that run automated attacks with malicious intent. Their activities range from scraping pricing, inventory levels and content from websites by competitors to credentials stuffing. By contrast, good bots help people make appointments or find things.
The report focuses on bad bot activity in the application layer. Bad bots used for distributed denial of service attacks, which abuse network protocols, were not covered.
Perhaps to no one’s surprise, the report says threat actors used bad bots in their pandemic-related attacks.
For example, bad bots have been used for years to help scalp inventory of high-demand products such as brand-name running shoes, clothing, rock concert tickets and sporting event tickets so they can be re-sold by crooks at inflated prices. Last year, the report says, bots were used to hoard large inventories of face masks – particularly N95 masks — sanitizer, detergents, home workout equipment and more.
Bad bots have also been seen spreading fake news on social media sites, the report says. Often these posts include malicious links.
The report worries that crooks will create bots that scalp and hoard COVID-19 online vaccine appointments.
Imperva has seen a 372 per cent increase in bad bot traffic on healthcare sites around the world since September 2020.
To avoid being detected, the report says, bad bots usually masquerade as legitimate users by reporting their user agent as a web browser or mobile device. The most popular fake browser last year – again – was Chrome, although the use of fake Firefox agents is increasing. Among fake mobile browsers the two most common are Mobile Safari and Mobile Chrome.
Data centres are still responsible for the majority of bat bot traffic (54 per cent), but that’s a drop from 2019. Meanwhile, the trend of bad bots originating from residential internet service providers continues to rise (in 2020 it was just under 31 per cent). Bad bot traffic from mobile ISPs jumped to 15 per cent of traffic.
The report offers a number of suggestions to combat bad bots including:
- Monitor failed login attempts.
- Investigate traffic spikes.
- Evaluate traffic sources for high bounce rates and low conversion rates from certain sources.
- Monitor increases in failed validation of gift card numbers.
- Protect exposed corporate APIs and mobile apps, not just your website.
- Block traffic from known suspicious hosting providers and proxy services.
- Block or Captcha outdated user agents/browsers.
- When launching a limited quantity, high-demand product be prepared for bot attacks.
Access the full report here. Registration required.
