Barracuda threat researchers have found that bad bots are evolving to become more advanced and human-like in their behavior in order to boost the chances of success in account takeover and other automated attacks. In a new report on bot activity over the last 12 months, the researchers also noted an emerging category of AI bots, which could be considered as “grey bots,” is blurring the boundary of legitimate activity.
Bots are automated software programs designed to perform online activities at scale.
Bad bots are designed for malicious or harmful online activities and can be deployed against many different targets, including websites, servers, application programming interfaces (APIs), and other endpoints.
The Barracuda researchers analyzed bot-related traffic and activity targeting Barracuda web applications and APIs between September 2023 and the end of August 2024. Among other things, the researchers found that:
- Bad bots make up 24% of internet traffic in 2024, down from 39% in 2021.
- The number of individual bad bots has risen and now comprises 44% of detected clients, compared to 36% a year ago.
- 49% of bots were classed as “advanced bots.” Most of these were bad bots that can mimic human behavior, handle complex online interactions, such as engaging with targets in account takeover attacks, and navigate complex web interactions, bypassing standard controls that look at rate of traffic, error rate, CAPTCHA, and IP addresses.
- Other types of bad bots detected include “impersonator” bots designed to impersonate human behaviors, typically for malicious purposes such as fraud; and known “violators” that have previously engaged in undesirable or malicious activity.
“While it is good news that the proportion of bad bots in internet traffic has declined, our deeper analysis shows that the range of bad bots has risen over the last 12 months and many of these are advanced bots,” said Tushar Richabadas, principal product marketing manager at Barracuda. “Bad bots are bad news for business. They can steal data, commit fraud, exploit vulnerabilities, overload websites with traffic, spread spam, skew business analytics, disrupt services for legitimate customers, and more. We also see an emerging category of ‘grey bots’: AI bots designed to extract or scrape large volumes of data from websites. Strong defenses against bot attacks are more important than ever.”
Understanding and addressing the threat of bad bots is crucial for maintaining the security and integrity of online activities. Effective, targeted bot protection helps to detect and protect against automated attacks carried out by malicious bots, while at the same time enabling known good bots, such as search engine crawler bots and SEO bots, to crawl your web application.
Such protection requires a multilayered approach, including robust application protection security, ideally with specialist anti-bot protection. Strong access and authentication controls, including multifactor authentication, will help to secure vulnerable access points such as login pages from brute force and credential stuffing attacks.
