After analyzing traffic from 159 bot defense customers, this review found that in the absence of a bot defense solution, Mobile APIs experience significantly more automation than Web applications. However, once a bot defense solution is deployed in mitigation/blocking mode, we see a reversal, with Web having higher levels of persistent attacks despite consistent mitigation. Figure 2 shows that pre-mitigation, Mobile APIs experience on average 21.0% automation compared to 17.4% for Web applications. Post-mitigation, the percentage automation falls drastically for both Web and Mobile as attackers give up and others try to retool past mitigation. Automation levels of 3.9% for Mobile APIs, compared to 6.0% for Web applications were observed.

A hypothesis for why this is the case is that Mobile APIs tend to be more homogenous than Web applications. As a result, attack tools designed for attacks against one company’s Mobile APIs can easily be pointed at a different company with minimal customizations. As a result, the barrier to entry for attacks against Mobile APIs is low, resulting in higher levels of automation pre-mitigation compared to Web. Once mitigation/blocking is enabled, Mobile attackers find it easier to simply point their attack tools towards an unprotected target rather than retool, as the effort of such retargeting is minimal. On the other hand, Web attackers invest a lot of effort to customize their tools for each website and hence are unwilling to abandon all their hard work once they are mitigated. They therefore tend to persist a bit more despite mitigation as the effort of moving to another target is significant. This results in post mitigation automation being higher on Web than on Mobile. This is our working theory that explains this phenomenon. It is, however, difficult to know for sure what causes this observation.

Because the majority of Bot defense customers are in mitigation/blocking mode, it therefore makes sense that Figure 1 shows higher levels of automated attacks against Web applications compared to Mobile APIs.

Industry Trend Analysis

Our analysis showed that there are fluctuations in the level of automated attacks for each industry from month to month (as shown in Figure 4 and Figure 5 below). There are, however, some strong patterns in the proportion of unwanted automation by industry. There are several factors that affect how much automation we see on a given enterprise and by aggregation in each industry:

1. Value – What is the payout of using automation against the given enterprise? What kinds of money, stored credit cards, gift cards, miles, points, discounts, services, etc., can be stolen from hacked accounts? What is the payout of success?
2. Security – How well defended are enterprises in this sector? Do they have large security budgets and teams? How long will it take for fraudulent activities to be detected — in short, what is the probability of success?
3. Risk – What is the probability of being identified and what are the consequences if identified?
4. Deterrence (length of protection) – How long have strong defenses been in place? Have existing anti-bot defenses successfully mitigated and deterred attackers? (New Bot Defense customers tend to have higher automation percentages than those that have been protected for longer. The mix of new and old customers in each industry may also impact the industry automation overview in Figure 1, though this impact will decrease over time.)

Using this factor list, we can explain why the Airline industry, for example, is one of the most attacked. The demand for airline miles is huge and attackers that take over large numbers of airline accounts can accumulate large amounts of miles that can be used to purchase flights and first-class upgrades that have a ready market. The value of the attacks against the airline industry is very high, leading to high attack volumes. Airline flight ticket pricing is often opaque, which creates a large market for flight comparison and flight ticket hacking companies that try to game the system to get travelers the cheapest possible tickets. These companies are well resourced, highly motivated, and send a lot of automated traffic against the Airline’s flight search, seat map, and other flows.

On the other end of the percentage automation spectrum are insurance companies. The value to be gained from taking over a person’s insurance login is minimal. This low value and high risk associated with prosecution for insurance fraud makes this an unattractive industry for attackers. Insurance companies employ teams of investigators to analyze and go after fraud which makes this a risky undertaking for a very limited payout.

Web

Figure 4 below gives the 2023 trend in Web automation (%) for the 13 industries highlighted in Figure 1 above. The image legend is sorted from highest to lowest automation (%) based on December 2023 numbers for ease of reference.