Russia and China Dominate Majority of Bot Attacks on Large Companies
September 2023 by Netacea
Netacea, the bot detection and response specialist, announced results of a new report into the business impact of malicious automated attacks. The research reveals that most bot attacks now come from Russia and China and the financial impact is greater than ever; costing each company $85.6m - the equivalent of over fifty average ransomware payouts, or the 8th highest ever GDPR fine - every single year.
The report, Death by a Billion Bots: The Accumulating Business Cost of Malicious Automation, surveyed 440 businesses with an average online revenue of $1.9bn across the travel, entertainment, ecommerce, financial services and telecoms sectors in the US and the UK.
Of those surveyed, 72% had suffered attacks originating in China and 66% from Russia. Overall, over half (53%) of all bot attacks came from these two countries with Russian threats increasing by 82% in just the last two years.
"Economic coercion, in today’s age, doesn’t need to be the physical blockading of ports with gunboats. Instead, it can be the manipulation of markets, or the slow bleeding of wealth from organizations not aligned with the hostile actors’ objectives," said Rob Black, Lecturer in Information Activities at Cranfield University.
The research found that the average business loses 4.3%, or $85.6m, of online revenues every year due to the volume of attacks now being enabled by malicious automation. This is more than double their financial impact in 2020, when the average cost was just $33.3m per business.
Taking the average business four months to detect, long dwell times compound business impact by giving sophisticated bots a lengthy opportunity to harvest value from companies. Almost every organization (97%) reported that it takes over a month to respond to malicious automation.
"One explanation for the success of threat actors is that they are evolving their attacks, with API-based incidents now reported by 40% of businesses," said Cyril Noel-Tagoe, Principal Security Researcher at Netacea. "Simultaneously, the targeting of mobile apps has also gained prominence—surpassing web-based attacks for the first time as attackers seek to exploit less fortified avenues. With more businesses using APIs and mobile apps, it presents a larger threat surface."
Almost every company, 99%, that admitted being attacked by bots also said they had noticed rising threat volumes over the previous year - with the top three attack types being Sniping, Credential Stuffing and Scraping. Gift Card Fraud also emerged as a fast-rising attack type, with over ¼ of companies saying they had seen a significant increase in this threat.
"Big ransomware attacks and GDPR fines grab headlines, but what we’ve uncovered is more insidious, and far more costly to businesses—what we’ve called ’death by a billion bots’," said Andy Still, Co-Founder of Netacea. "The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses, not to mention the effect on their reputations and operations, yet this activity is low key enough to remain undetected for months. With the fastest growth seen in countries where there is little chance of law enforcement, businesses can only expect these attacks to increase in number."