Internet connected devices which have low level of security are prey to automated attacks like surveillance cameras and IoT devices. Imperva has released its annual report titled: “2020 Bad Bot Report: The Bad Bots Strike Back.” The report investigates the automation that wreaks havoc on websites and mobile apps. Bad Bot traffic has increased compared to previous years, comprising almost one quarter (24.1%) of all website traffic and most heavily impacting the financial services industry. The biggest problem with bots is they are behind credential stuffing and brute force attacks.

Kunal Anand, CTO at Imperva said“Bad Bots as-a-Service is an attempt by bot operators to legitimize their role and appeal to organizations facing increased pressure to stay ahead of competition. It’s critical that businesses spanning all industries learn which threats are most pervasive in their field and take the necessary steps to protect themselves.”

What Bad Bots Do?

Bad bots interact with applications in the same way a legitimate user would, making them harder to detect and prevent. They enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities. Such activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, spam, transaction fraud, and more.

Country wise mapping from the research


Key Findings from the 2020 Bad Bot Report:

Bad bot traffic rises to highest levels ever. In 2019, bad bot traffic comprised 24.1% of all website traffic, rising 18.1% from the year prior. Good bot traffic consisted of 13.1% of traffic—a 25.1% decrease from 2018—while 62.8% of all website traffic came from humans.

Financial services industry hit hardest by bad bots. Every industry has a unique bot problem ranging from account takeover attacks and credential stuffing to content and price scraping. The top 5 industries with the most bad bot traffic include financial services (47.7%), education (45.7%), IT and services (45.1%), marketplaces (39.8%), and government (37.5%).

Moderate to sophisticated bad bots make up almost three quarters of bad bot traffic. Advanced persistent bots (APBs) continue to plague websites and often avoid detection by cycling through random IP addresses, entering through anonymous proxies, changing their identities, and mimicking human behavior. In 2019, 73.7% of bad bot traffic was APBs.

More than half of bad bots claim to be Google Chrome. Continuing to follow browser popularity trends, bad bots impersonated the Chrome browser 55.4% of the time. The use of data centers reduced again in 2019, accounting for 70% of bad bot traffic—down from 73.6% in 2018.

For the third year in a row, the most blocked country is Russia. In 2019, 21.1% of country blocks were Russia, followed closely by China at 19%. Despite this, with most bad bot traffic emanating from data centers, the United States remains the “bad bot superpower” with 45.9% of attacks coming from the country.

To combat bad bots Imperva says CIOs/CISOs should follow the below guideline says Imperva Research:

Because bad bots disguise their identity by reporting their user agent as a web browser to avoid detection, block, or CAPTCHA outdated user agents and browsers, like Internet Explorer, Chrome, Firefox and Safari

Block traffic from known bot hosting and proxy services such as Digital Ocean, Gignet, OVH Hosting and Choopa LLC. The report says Amazon is the biggest source of bad bots. However, the proportion dropped to 11.6 percent in 2019 from 18 per cent the previous year

Protect exposed APIs and mobile apps—not just your website—and share blocking information between systems wherever possible. Protecting your website does little good if backdoor paths remain open, says the report;

Monitor traffic sources carefully for suspicious signs such as high bounce rates and lower conversion rates from certain traffic sources, traffic spikes and failed login attempts;

Retailers should watch for an increase in failures, or even traffic, to gift card validation pages. These can be a signal that bots such as GiftGhostBot are attempting to steal gift card balances.

(Image Courtesy:

Leave a Reply

Your email address will not be published.