Radware’s annual ‘The Big Bad Bot Problem 2020’ report is a comprehensive analysis of overall traffic across our global client base to uncover bot origins, targets, attack methods and trends. Our researchers analyzed hundreds of millions of instances of bots, both the good kind and the bad, along with their behavior, fingerprints, and origins, and their findings have been detailed in the report.
As bot continue to become more sophisticated, fraudsters, hacktivists, business competitors and state-backed operatives are increasingly using advanced bots to carry out their attacks. The most advanced of these are 4th-generation bots that are programmed to mimic the behavior of humans as they traverse websites and mobile applications. This helps them evade basic security measures which were not specifically developed to detect bots and contributes to the severity of their impact.
While earlier 1st and 2nd-generation bots comprised a majority of bad bots in years past, we now see attackers favoring 3rd and 4th-generation bots that mimic human behavior when executing attacks. Our researchers found that in 2019, nearly 38% of bots used to execute account takeover attacks and 41.6% of bots carrying out API abuse were 4th-generation bots.
Figure 1: Behavior of bad bots by generation
As ISPs and data centers that are notorious for originating bad bot traffic get blacklisted, cybercriminals change tactics by using compromised residential IP addresses, cloud data centers, multiple User Agents, and programmatic requests to conceal bot traffic by making them appear to be genuine users. Our research finds that Web applications are the most exploited attack surface across industries, increasing 10% over our 2018 volumes to make up 35% of total traffic on web applications.
Along with growing attacks on web applications, bot attacks on mobile devices also grew in 2019, representing 15.4% of total traffic mobile applications, compared to 13.4% in 2018. Our research also found that APIs ─ used to enable interoperability between various Web applications ─ are being attacked to steal personally identifiable information (PII), payment card details, and confidential business data. Our findings show that bad bot traffic on APIs in 2019 constituted 16.6% of all API traffic, a significant increase from the 14.3% we recorded in 2018.
Figure 2: Most Exploited Attack Surfaces – 2018 vs. 2019
Download The Big Bad Bot Problem 2020 report for a comprehensive summary of bot trends, attack methods, origins, as well as valuable recommendations on bot management.