Today, Distil Networks published its fourth annual bad bot report, which found that malicious bots attack 96% of all websites that require login credentials. Using anonymized data from domains across Distil’s global network, the 2017 Bad Bot Report studied hundreds of billions of bad bot requests. According to the report, bad bots have become increasingly prevalent in the past year, and now make up 20% of all web traffic.
“Massive credential dumps like Ashley Madison and Yahoo, coupled with the increasing sophistication of bad bots, has created a world where bad bots are running rampant on websites with accounts,” stated Rami Essaid, CEO and co-founder of Distil Networks. “Website defenders should be worried because once bad bots are behind the login page, they have access to even more sensitive data for scraping and greater opportunity to successfully carry out transaction fraud.”
Distil’s Bad Bot Report noted that these bots were able to crack user credentials and gain access to 90% of websites. Bots behind login pages are able to scrape content that is available to registered users or commit transaction fraud by validating stolen card data through transaction platforms. This makes features like payment processors, contact forms, and product information particularly attractive to bad bots. Large sites are also a prime target; sites with an Alexa rating of 1-10,000 netted a higher share of attacks than sites with lower rankings.
Among the report’s other key findings were information about where bad bots come from and the means they use to attack sites. Globally distributed cloud networks have made it easier to both build and launch bot attacks, resulting in a high number (60%) of bad bots originating from data centers. Of these cloud networks, Amazon AWS, generated the most traffic from bad bots. However, even mobile users are able to launch bot attacks, with mobile ISPs comprising 9.4% of bad bot attackers last year. This represented a sharp increase from 2015, a trend that Distil predicts will continue in the coming year.
Finally, 75% of bad bots were APBs: Advanced Persistent Bots. These sophisticated bots can load JavaScript, hold onto cookies, load external resources, and randomize elements such as IP addresses and user agents, making them much more difficult to detect. However, given the high percentage of attacks found in Distil’s bad bot report, sites would do well to take actions to guard against them.