Nearly half of all global internet traffic came from bots in 2023, according to a new report from Imperva, a Thales company, which protects critical applications, Application Programing Interfaces (APIs), and data – the highest level Imperva has reported since it began monitoring automated traffic in 2013.

For the fifth consecutive year, the proportion of global web traffic associated with bad bots rose, reaching 32% in 2023, up from 30.2% in 2022, while traffic from human users decreased to 50.4%. 

Australia remained in the top three countries targeted by bad bots, representing 8.4% of all bot attacks globally, ranking third behind the US and the Netherlands. Bots (good and bad) now make up 36.4% of the country’s total internet traffic. Australia’s bad bot traffic grew to 30.2% in 2023, an increase of 23.2% year-on-year (YoY). 

Imperva, a Thales company, director of technology for Asia Pacific and Japan, Reinhart Hansen (pictured) stressed the criticality of taking proactive steps against bad bots as they grow in sophistication.

“With attackers increasingly exploiting API vulnerabilities and lapses in business logic guardrails, a proactive stance is essential to prevent data breaches, account takeovers, and large-scale data theft,” he said.

“From simple web scraping to malicious account takeover, spam, and denial of service, bots negatively impact an organisation’s bottom line by degrading online services and forcing more investment in infrastructure and customer support. Organisations in Australia must proactively confront the menace of bad bots as attackers sharpen their focus on API-related abuses that can lead to compromised accounts and data exfiltration.”

Generative AI and large language models (LLMs) technology use web scraping bots and automated crawlers to feed training models, while enabling nontechnical users to write automated scripts for their own use. Rapid adoption of generative AI resulted in the volume of simple bots increasing to 39.6% in 2023, up from 33.4% in 2022.

Australia has a high volume of simple bots (70.6%) – 31% higher than the global average. Business (88%), retail (87%) and lifestyle (82%) were the industries with the highest proportion of simple bot traffic.

Account takeover (ATO) attacks increased 10% in 2023, compared to the same period in the prior year. Notably, 44% of all ATO attacks targeted API endpoints, compared to 35% in 2022. Of all login attempts across the internet, 11% were associated with account takeover.

Automated threats caused a significant proportion (30%) of API attacks in 2023 globally. Among them, 17% were bad bots exploiting business logic vulnerabilities—a flaw within the API’s design and implementation that allows attackers to manipulate legitimate functionality and gain access to sensitive data or user accounts.

Early bad bot evasion techniques relied on masquerading as a user agent (browser) commonly used by legitimate human users. Sophisticated actors combine mobile user agents with the use of residential or mobile ISPs. Residential proxies allow bot operators to evade detection by making it appear as if the origin of the traffic is a legitimate, ISP-assigned residential IP address. Bad bots masquerading as mobile user agents accounted for 44.8% of all bad bot traffic in the past year, up from 28.1% just five years ago. 

“Organisations face substantial financial losses every year due to automated traffic, a concern that cuts across all industries,” Imperva senior vice president for Asia Pacific and Japan, George Lee said.

“Automated bots are on track to outnumber human-generated internet traffic, and with the proliferation of AI-powered tools, their presence is becoming increasingly pervasive. It’s imperative for enterprises to prioritise investment in bot management and API security solutions to effectively combat the threat posed by malicious automated traffic.”