Last year, nearly half of all Internet traffic came from bots, up 5.1% from a year earlier, according to the 2023 Imperva Bad Bot Report. More worryingly, the volume of traffic coming from malicious bots has increased for the fourth consecutive year, resulting in higher levels of account compromise, data theft, spam and degraded online services.
Organizations lose billions (USD) every year due to automated attacks on their websites, infrastructure, APIs and applications. Additionally, malicious automation in the form of bad bots is also responsible for higher infrastructure and support costs, customer churn, and tarnished brand reputation.
Now, with the advent of generative artificial intelligence (AI), bots will evolve at an accelerated and more worrying rate over the next 10 years. Regardless of industry, automated attacks will become a major source of risk for every organization.
The growing sophistication of bad bots leads to higher levels of fraud
More than a decade ago, bot technology was used as a means to increase the reach of phishing email attacks. Since then, the technology has evolved rapidly, to the point where advanced bots can now mimic human-like keyboard and mouse movements.
Unfortunately, the percentage of bad bots classified as advanced more than doubled between 2021 and 2022, accounting for the majority of bad bot traffic globally. This should be a wake-up call for any digital organization, as these bots have the ability to evade detection by swiping random IPs, accessing through anonymous proxies, and switching identities. Over time, advanced malicious bots will lead to more online fraud, data loss, and deteriorated online services.
We’re already seeing the first signs of what advanced automation could mean for the future of the internet. Last year, the volume of account takeover (ATO) attacks grew by an astonishing 155%. Meanwhile, 15% of all login attempts, across all industries, were classified as account theft. There is increasingly a correlation between public data breaches and the volume of account takeover attacks, as motivated cybercriminals exploit leaked credentials before users realize their data is exposed.
4 ways the evolution of bots will disrupt security in the next decade
Generative AI will be used by bad actors to accelerate bot development and sophistication in the coming months and years. As a result, we will see four trends emerge:
- The inevitable disappearance of CAPTCHA. For years, organizations have relied on CAPTCHA puzzles to challenge users and distinguish between human and automated traffic. While this approach was effective in protecting websites and online services in the past, generative AI will render this detection tool useless. Sophisticated bots will be able to easily emulate human behavior, obfuscate their actions and evade detection. Organizations will need to evolve their defenses with an emphasis on behavior-based detection solutions.
- An internet of automated users. The percentage of traffic coming from bots will increase over the next 10 years, exceeding the percentage of human traffic on the internet. We could see a staggering 70-80% of global traffic come from automation, particularly over the next few years, as content scrapers and crawlers will multiply in use as AI tools become more widely used. This will put pressure on organizations to more effectively detect and block malicious bot traffic.
- The dawn of a new era of online fraud. The way fraudsters compromise your identity and steal sensitive information will evolve thanks to generative AI. It will become easier for scammers to masquerade as someone else, leading to a new generation of social engineering attacks. For example, a scammer could create a believable, fake version of you by scouring the internet and social media for information, audio clips, and images that can be packaged using artificial intelligence. This illegitimate version of you could be used to create new passwords, open accounts, and more.
- APIs become a ripe target for attackers. In 2022, 17% of all API attacks came from malicious bots abusing business logic. Even more concerning, 35% of account takeover attacks in 2022 specifically targeted an API. With the help of AI, attackers can automate the process of programmatically calling an API to take over an account, exfiltrate data, scrape data, and more, without ever triggering an alarm.
Gone are the days when you could effectively protect your site from malicious bots with just a few configurations and rules. Today’s advanced bots can mimic human behavior, making it more difficult to detect and block automated threats. Organizations need to implement a bot management solution that can identify and stop sophisticated automation that targets application APIs and business logic, without impacting the experience of legitimate users. To do this, organizations should implement a solution with machine learning, device fingerprinting, and built-in behavioral analytics that can pinpoint specific anomalies in sites’ unique traffic patterns. More aggressive security measures should be implemented in high-traffic parts of the site, but not necessarily the entire site, to avoid impacting user experience.
The next 10 years will bring significant challenges to security teams as they face the ever-evolving threat of automation and malicious bots. By understanding the potential risks and staying informed about the latest trends in Generative AI, organizations can more effectively minimize the impact of malicious bots on websites, APIs and applications.
By Karl Triebes, SVP and General Manager, Application Security, Imperva
#Generative #Robots #Internet