A Their Story conversation with Sean Martin, Marco Ciappelli, and Imperva
Traditional human-driven attacks essentially exploit known software vulnerabilities through direct access to an application or system or by tricking a human to do it for them. Bot-driven attacks, however, look very different and very much alike at the same time. The bots are becoming more advanced, more human-like, and more evasive.
About the 2022 Imperva Bad Bot Report
Leveraging data from its global network, Imperva Threat Research investigates the rising volume of automated attacks occurring daily, evading detection while wreaking havoc and committing online fraud. The 9th annual Imperva Bad Bot Report is based on data collected from the Imperva global network throughout 2021. The data is composed of hundreds of billions of blocked bad bot requests, anonymized over thousands of domains. The goal of this report is to provide meaningful information and guidance about the nature and impact of these automated threats.
Bot attacks are often the first indicator of fraudulent activity online, whether it’s validating stolen user credentials and credit card information to later be sold on the dark web, or scraping proprietary data to gain a competitive advantage. Often bots are used to surveil applications and APIs in an attempt to discover vulnerabilities or weak security. Online fraud from automated bot attacks is not only a threat to the business, but it is first and foremost a risk to customers. Bad bot attacks might cause customers to be unable to access their accounts or have sensitive information stolen from them due to successful account takeover fraud.
Bad bots mask themselves and attempt to interact with applications in the same way a legitimate user would, making them harder to detect and block. They enable high-speed abuse, misuse, and attacks on your websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities.
Such activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, denial of service, denial of inventory, spam, transaction fraud, and more.
“The rise of mobile and APIs have definitely increased the bot attack vector, but they also present new opportunities to secure access to this data.”
Note: This story contains promotional content. Learn more.
Part 1: From Enrolling In College To Gambling, Traveling, And Shopping, Evasive Bad Bots Are A Major Source Of Online Fraud
Guest
Ryan Windham
VP of Application Security at Imperva [@Imperva]
On Linkedin | https://www.linkedin.com/in/rwindham/
A new year and a new Bad Bot Report from Imperva. How is it looking? Well, this year, we see an increase in the sophistication level of bad bots compared to last year, with advanced bad bots accounting for 25.9% of all bad bot traffic in 2021, compared to 16.7% in 2020. In addition, evasive bad bots are on the rise, no industry is immune, and Account Takeover attacks are more prevalent than ever.
The good news is that not all bots are Superbad — they go from Simple to Moderate, Advanced, and, Evasive — and we are getting better at finding them.
During our conversation this year, we take a quick look back in time to last year's report to see what some of the changes are. Sadly, the team at Imperva is seeing more of the advanced bots we discussed during this conversation. Unfortunately, their ability to emulate human behavior makes them much more difficult to detect.
What's driving a lot of this rise in bad bots? More and more services are moving online.
We hope you enjoy this Part 1 of 2 conversations as we explore and uncover the consequences of bad bots for our business and society.
Additional Resources
42.3% of internet traffic wasn’t human in 2021! Get the research from Imperva to learn how bad bots are driving online fraud.
Part 2: From Enrolling In College To Gambling, Traveling, And Shopping, Evasive Bad Bots Are A Major Source Of Online Fraud
Ryan Windham
VP of Application Security at Imperva [@Imperva]
On Linkedin | https://www.linkedin.com/in/rwindham/
As we continue this 2nd part of the conversation, we immediately kick things off with Gremlins and quickly move into real-world scenarios where bad bots wreak havoc by enabling high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs.
Businesses cannot overlook the impact of malicious bot activity as it is contributing to more account compromise, higher infrastructure and support costs, customer churn, skewed marketing analytics, and degraded online services.
The implications of account takeover (ATO) are also extensive, where successful attacks can lock customers out of their account, while fraudsters gain access to sensitive information that can be stolen and abused. For businesses, ATO contributes to revenue loss, risk of non-compliance with data privacy regulations, and tarnished reputations.
How can organizations — actually, the people in them that keep the business running — distinguish between real, authentic traffic versus something that's being driven by a bot? That's exactly what we talk about.
We hope you enjoy this Part 2 of 2 conversations as we explore and uncover the consequences of bad bots for our business and society.
