Automation and bots have the potential to positively revolutionise the fintech market if used correctly. However, research from Netacea has shown that if abused, malicious bots can go for months undetected, costing companies $85.6million a year. This is the same as roughly fifty average ransomware payouts.
Netacea, the bote detection and response specialist has published its new report titled Death by a Billion Bots: The Accumulating Business Cost of Malicious Automation. In it, Netacea reveals that the majority of attacks are seen in the US (48 per cent). Meanwhile, excluding the UK (which suffers 37 per cent of attacks), Europe only saw nine per cent of attacks, and the rest of the Americas excluding the US only seven per cent.
The report surveyed 440 businesses with an average online revenue of $1.9billion across the travel, entertainment, e-commerce, financial services and telecoms sectors in the US and the UK.
It identifies most attacks originating from China (72 per cent) and Russia (66 per cent). Despite it only accounting for two per cent of the Asian population, Vietnam is also a prominent hub for attacks to originate from.
Breaking down how the bot attack sphere has evolved, Netacea identified that over 75 per cent of all attack traffic in Europe comes from Russia. It further reveals that business attacks from Russia have increased by 82 per cent in two years. They have also increased by 11 per cent since sanctions were imposed in early 2022.
Analysing the attack trends over the past three years, Netacea looks at how website, mobile app, and API bot attacks have changed. Since 2020, website attacks have remained at around 65 per cent, decreasing to 63 per cent in 2022. However, API attacks almost doubled in that time from 23 per cent in 2020 to 40 per cent in 2022. A similar trend was seen in mobile app attacks as they increased from 46 per cent to 65 per cent in the same time frame.
“One explanation for the success of threat actors is that they are evolving their attacks, with API-based incidents now reported by 40 per cent of businesses,” said Cyril Noel-Tagoe, principal security researcher at Netacea. “Simultaneously, the targeting of mobile apps has also gained prominence—surpassing web-based attacks for the first time as attackers seek to exploit less fortified avenues. With more businesses using APIs and mobile apps, it presents a larger threat surface.”
No one is safe
In 2021, scalper (78 per cent), scraper (67 per cent) and account checker (69 per cent) attacks were not as recorded as much compared to 2020. Worryingly, in 2022, 99 per cent of companies that detected an automated attack said they had seen an increase in attack volumes across all forms. The report then delves into how automation attacks differ from traditional attacks, explaining how they chip away at companies in a way that can go undetected for a long time.
“Big ransomware attacks and GDPR fines grab headlines, but what we’ve uncovered is more insidious, and far more costly to businesses—what we’ve called ‘death by a billion bots’,” said Andy Still, co-founder of Netacea.
“The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses, not to mention the effect on their reputations and operations, yet this activity is low key enough to remain undetected for months. With the fastest growth seen in countries where there is little chance of law enforcement, businesses can only expect these attacks to increase in number.”
The research found that the average business loses 4.3 per cent, or $85.6million, of online revenues every year as a result of malicious automation. This is more than double their financial impact in 2020, when the average cost was just $33.3million per business.
Taking the average business four months to detect, long dwell times compound business impact by giving sophisticated bots a lengthy opportunity to harvest value from companies. Almost every organization (97%) reported that it takes over a month to respond to malicious automation.