top of page

Analysis: 73% of Internet traffic is generated by bad bots.

Tens of billions of bot attacks from January to September 2023 were gathered by Arkose Labs and analysed and reported on by the company using the Arkose Labs Global Intelligence Network.

Automated programs posing as online actors are known as bots. While some provide beneficial functions, including internet indexing, the bulk is Bad Bots created with malevolent intent. The number of bad bots is rapidly rising; according to Arkose, as of Q3, 2023, 73% of all internet traffic consists of bad bots and related traffic from fraud farms.

The establishment of fictitious accounts, account takeovers, scraping, account management, and in-product misuse are the top five categories of bad bot attacks. With the exception of card testing being replaced with in-product misuse, these haven't altered from Q2. The three areas with the largest increases in attacks between Q2 and Q3 were false account creation (up 23%), account management (up 160%), and SMS toll fraud (up 2,141%).

Technology (where bad bots account for 76% of internet traffic), gaming (29% of traffic), social media (46%), e-commerce (65%), and financial services (45%) are the top five industries that are being attacked. An increasing trend among criminals is to move to fraud farms run by humans in the event that a bot is unable to fulfill its intended function. According to Arkose, there were over 3 billion fraud farm attacks in the first half of 2023. It appears that the majority of these scam farms are situated in the Philippines, Vietnam, Brazil, India, and Russia.

Two factors are expected to contribute to the rise in the prevalence of bad bots: the introduction and widespread use of artificial intelligence (gen-AI), and the growing sophistication of the criminal underworld's new crime-as-a-service (CaaS) offerings.

Intelligent bot traffic almost doubled from Q1 to Q2. The paper (PDF) states that "intelligent [bots] employ sophisticated techniques like machine learning and AI to mimic human behavior and evade detection." Because of this, they are adept at adapting to exploit weaknesses in cloud services, IoT devices, and other cutting-edge technologies. For instance, they are frequently used to get around the 2FA protection against phishing.

Separately, a sharp increase in "scraping" bots—which collect information and photos from websites—may or may not be connected to the development of artificial intelligence. Scraping rose by 432% in Q2 compared to Q1. Social media account scraping can collect the kind of personal information that gen-AI can utilize to generate convincing phishing assaults in large quantities. Then, account takeover emails, romance scams, and other scams could be sent by other bots. The tourism and hotel industries are also targeted by scraping.

It is true that scraping is a legally ambiguous practise. Although it is not expressly unlawful, it is unethical if it violates the stated terms of use on a website. Certain services provide web scraping facilities in an open manner. Here, it illustrates the connection between AI, bots (mostly scraping), and CaaS.

Kevin Gosschalk, founder and CEO of Arkose Labs, told SecurityWeek, "This is a website you can use to make sure your bots aren't getting prevented by a website." Gosschalk made reference to a certain provider that he would not name. "You can buy this programme. It supports enterprises, among other things. But it's designed specifically to perpetrate crimes. It does that function. There are numerous more websites that resemble this one, but they appear to be authentic companies. It's a great illustration of a product designed specifically to perpetrate fraud.

It's also a fantastic illustration of crime-as-a-service. Wannabe criminals who might have the motivation but lack the necessary skills to commit cybercrime are made possible by crime-as-a-service. Gosschalk went on, "The economics for adversaries have completely changed as a result of the massive rise of CaaS." "Attacking companies is much less expensive and more effective because a development shop rather than lone cybercriminals is carrying out the attacks."

The volume of Bad Bots is still rising, which implies that the crooks find them profitable. It will get worse because gen-AI will make bad bots perform better and because the expansion of CaaS will make bad bot operators more numerous. The only way to stop bots from accessing human or system targets is to detect and mitigate bad bot activity. They won't do anything if it isn't profitable.

18 views0 comments


bottom of page