Bots make up nearly half of all internet traffic, and while most are useful, some have been designed with malicious intent. So, what exactly is it? Discover the differences between ‘good’ and ‘bad’ ones and how to protect your organisation.
What is a bot?
Put simply, it’s a computer program that automates tasks carried out over the internet. It’s an automated script, engineered by a human.
Some are good and serve a legitimate purpose. An example of a good one would be Googlebot – an application deployed by Google to aid its ‘search’ function.
However, others are malicious and are used to scan websites for software vulnerabilities and execute simple attack patterns. This malicious activity could include data mining, ad fraud or brute-force attacks.
What are the different types of bots?
There are many different types – malicious and legitimate. Some of the more common types are:
Scraper Bots: Scrapers read data from websites with the objective of saving them offline and enabling their reuse. For instance, scraping the entire content of web pages, or scraping web content to obtain specific data points, such as names and prices of products on eCommerce sites.
Ticketing Bots: These are an automated way to purchase tickets to popular events, with the aim of reselling those tickets for a profit, particularly common for large music and sporting events. Travel also sees its fair share of bot-related attacks, engaging in ‘seat spinning’ to hold airline seats to release or resell at a premium. The same principle also applies to securing in-demand products on e-commerce sites.
Spam Bots: An internet application designed to gather email addresses for spam mailing lists. After attackers have amassed a large list of email addresses, they can use them not only to send spam email, but also for other malicious purposes such as credential cracking.
Social Media Bots: These are very common and are growing in prevalence – in fact, it’s estimated that up to 15% of X accounts are in fact social bots. They can generate messages, create fake followers, and infiltrate groups of people to propagate specific ideas. Since there is no strict regulation surrounding social bots, they can play a major role in online public opinion. This has caused particular concern on the impact it can have on elections.
Download Bots: Automated programs that can be used to automatically download software or mobile apps. They can be used to influence download statistics, for example to gain more downloads on popular app stores to reach the top of the charts. They can also be used to attack download sites, creating fake downloads as part of an application-layer Denial of Service (DoS) attack. Many companies fell victim to DDoS attacks last year as increasing access to sophisticated tools is enabling more bad actors to carry out sophisticated DDoS attacks at scale.
Why should businesses take action?
According to the 2024 Imperva Bad Bot Report, nearly half (49.6%) of all internet traffic came from bots in 2023 – the highest level reported in the past decade. But perhaps the biggest cause for concern is that a third (32%) of all internet traffic comes from bad bots.
Businesses should mitigate these attacks to protect their reputation, finances, and ensure compliance with regulations. Attacks can lead to financial losses, legal consequences, and operational disruptions. They may result in data breaches, intellectual property theft, and SEO damage. Implementing security measures is essential for detecting and preventing bad bots.
How can businesses mitigate against bots?
Automated bots will soon surpass the proportion of internet traffic coming from humans, meaning that businesses must change how they approach the protection of their websites and applications. As more AI-enabled tools are introduced, they will become omnipresent. Organisations must invest in bot management and API security tools, given the surge in API attacks, to manage the threat from malicious, automated traffic.
