Where in the World do Bots Come From?
- Netacea, Agentless Bot Management
6 minutes read
Bots make up more than 42% of all internet traffic — so there’s a good chance bots are regularly visiting your website. While some bots are good, most are malicious, and are designed to cause problems for you and your site users.
Many businesses try to protect themselves from bad bots by blocking users from certain locations. This tactic assumes users from far-flung destinations are probably bots. But bots can easily evade location-based blockers by using residential proxy networks to make it look like the traffic is coming from a different location, disguising the real country of origin.
Knowing where bots come from helps us understand their motives. In 2014, it was reported that Russian bots flooded UK news site the Guardian with as many as 40,000 pro-Kremlin comments a day. These bots contributed to a campaign of disinformation around the time of Russia’s annexation of Crimea, and numerous conspiracy theories around Russia-Ukraine relations.
Our 2022 bot management review shows Russia is now one of the top five countries deploying bots around the world. In this article, we’ll reveal:
- the countries where most bot attacks originate
- why more bots are coming from Russia and Asia
- why monitoring bots by geography isn’t the best way to protect your business from automated attacks.
Where do bot attacks come from?
In our 2021 bot management review, we found that most people believed most bot attacks came from China and Russia — but more actually originated in the UK and US. “What we've found in this year’s survey in the UK and the US is that it’s pretty much stayed consistent to last year,” says Cyril Noel-Tagoe, principal security researcher at Netacea. “However, there’s been a sharp increase in attacks from Russia, China, and Vietnam.”
The UK, US, Russia, China, and Vietnam are now the most prolific countries when it comes to creating and deploying bot attacks. So why has there been a sudden increase in bot attacks from these nations?
Why are bots in Russia and Asia increasing?
According to James McQuiggan, security awareness advocate at Knowbe4, during a recent webinar on the subject, bot deployment from these countries is largely about intelligence gathering. “The big nations in the world — the US, UK, China, Russia — they’re being attacked, but they’re doing the attacking as well. So it’s understandable that we’re going to see those attacks coming from all these different places.”
Surveillance and disinformation bots are both a consequence and a cause of heightening tensions between Russia and the West. As well as giving billions of dollars in aid and defense resources to Ukraine following the Russian invasion, US president Joe Biden has also pledged to defend Taiwan if it were attacked by China — and has urged the UK to do the same. Meanwhile, Russian president Vladimir Putin continues to escalate his anti-Western rhetoric. As the rift between these countries deepens, we can expect to see even more bots used for gathering intelligence and spreading disinformation.
The reason for the growth of bots originating in Vietnam is less clear. While Vietnam has traditionally strong relationships with Russia and China, in recent years it has begun to build ties with Western countries including the US. In early 2021, Amnesty International published a report outlining the online threats posed by Vietnamese state-backed groups.
“There are small groups that are established within these countries, and it doesn’t surprise me that these are the leading ones when it comes to these attacks,” says James. “I’m interested and quite surprised to see that we don’t have North Korea on there using bots as well. But they may be using proxies to mask where the bots are actually coming from.”
Other reasons for bot use around the world
State-backed bots strive to make political gains. But not all bots are used by or for governmental organizations. Many are designed to make money.
Dr Kiri Addison, senior product manager at Mimecast, says that bots are often used for fraud and financial gain. “We’ve seen a move to bot use in some of the BEC [business email compromise] threat actors we monitor. There’s one group in particular that we believe is based in Africa. Typically, they’d have a team of people manually sending out business email compromise emails.
“What we’ve seen is a move to automating that initial delivery of the email. There’s a certain level of reconnaissance involved. They need to know who the target is, and who the CEO in that company is. Before, they’d have a big team of people working on this. They’d send a load of emails out and wait for a response, then manually type back to them. But they’ve been able to automate that first stage, massively reducing their manual burden.”
While the so-called Nigerian prince scam is one of the oldest and most well-known internet scams, it still manages to swindle Americans out of $700,000 every year. And despite the name, most of these scams don’t actually originate in Nigeria — they can come from countries all over the world.
Should you use location to monitor bot threats in your organization?
“It’s important to realize that although we’ve listed five countries here, these aren’t the only ones,” says Cyril. “It’s a widespread problem. Any geography with an internet connection — which is all of them — can be a source of bot attacks.”
Because bots can come from anywhere — and disguise their origin using proxy networks — location isn’t the best bot indicator. Not only can bots easily get around your geographical filters, but you could also accidentally block real users from your site.
Cyril believes location-based blocking can be appropriate in some circumstances, but for some businesses, it won’t work well. “If you’re a US-based organization, you may know that your website visitors primarily are served in the US, so you don’t expect visitors from elsewhere. That makes it easier to geofence your site. But if you’re a global organization, it’s hard. You’ve got all these different geographies that could be bot attacks or legitimate users.”
Why user behavior is the best way to detect bots
Bot behavior recognition is far more effective than location-based blocking for tackling bot problems in your business. At Netacea, we use hundreds of behavior-based signals — including location — to identify genuine bots, while allowing real users to access your site seamlessly. Our Intent Analytics engine compares user actions against our behavior database to determine whether a visitor is a real person or a bot.
With Netacea’s bot detection software, you can also expect:
- Agentless technology that won’t compromise performance or speed
- Protection for your entire estate — including your website, app, and API
- A false positive threat detection rate of less than 0.001%
- Excellent user experience for your real site visitors.
Find out more about our active threat database and how we use it to block more bots, no matter where they come from.
Schedule Your Demo
Tired of your website being exploited by malicious malware and bots?We can help
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.