SAN FRANCISCO, CA--(Marketwired - March 16, 2017) - Almost every website with a login page is under attack from bad bots, the automated programs used by hackers, fraudsters and competitors to carry out a variety of nefarious activities, according to a new report from Distil Networks, Inc., the global leader in bot detection and mitigation.

Today, Distil released its fourth Bad Bot Report titled, "The 2017 Bad Bot Report: If You Build It, They Will Come." It serves as the IT security industry's most in-depth analysis on the sources, types and sophistication levels of 2016's bot activity.

The report found that websites requiring a login are almost certain to be attacked by bad bots, with 96 percent of such sites targeted by malicious bots. Bad bots are used by competitors, hackers and fraudsters and are the key culprits behind web scraping, brute force attacks, competitive data mining, online fraud, account hijacking, data theft, spam, digital ad fraud, and downtime.

"Massive credential dumps like Ashley Madison and Yahoo, coupled with the increasing sophistication of bad bots, has created a world where bad bots are running rampant on websites with accounts," said Rami Essaid, CEO and co-founder of Distil Networks. "Website defenders should be worried because once bad bots are behind the login page, they have access to even more sensitive data for scraping and greater opportunity to successfully carry out transaction fraud."

Key Findings:

Bad Bots By The Numbers:

  • 40% of all web traffic in 2016 originated from bots. Bad bots alone were responsible for 20% of web traffic and increasingly impact large websites.
  • 76% of bad bots lie about coming from the most popular browsers, including Chrome, Safari Internet Explorer and Firefox.
  • 60% of bad bots come from data centers, as opposed to residential or mobile. Amazon is the top originating Internet Service Provider (ISP) for the third year in a row, with 16% of all bad bot traffic -- four times more than the next ISP.
  • 16% of bad bots self-reported as mobile users. For the first time, Mobile Safari made the top five list of self reported user agents, outranking Web Safari.
  • 75% of bad bots were Advanced Persistent Bots (APBs). Today's APBs are either sophisticated in that they can load JavaScript, hold onto cookies, and load up external resources, or persistent, in that they can randomize their IP address, headers, and user agents.

Automated Threats in Detail:

  • 97% of websites with proprietary content and/or pricing are being hit by unwanted scraping.
  • 90% of websites were hit by bad bots that were behind the login page, including websites with account login sections, payment portals, and transaction platforms.
  • 31% of websites with forms are hit by spam bots, which damages customer experience, affects brand perception, and diverts traffic off the site.

The report also includes attributes that make specific websites appealing to bad bot actors. Websites that have one of the following attributes are most attractive to bad bots:

  • Unique content and/or product and pricing information
  • Sign-up, login, and account pages
  • Payment processors
  • Web forms, such as contact, discussion forums, and reviews

The findings are based on 2016 data collected from Distil Networks' global network, and includes hundreds of billions of bad bot requests, anonymized over thousands of domains.

To download a full copy of the report, visit

To learn more, register for the upcoming webinar "Distil Networks 2017 Bad Bot Report -- 6 High Risk Lessons for Website Defenders," taking place on Tuesday, March 21, at 10AM PT/1PM ET.

About Distil Networks
Distil Networks, the global leader in bot detection and mitigation, is the only proactive and precise way to mitigate bad bots across web applications, mobile and APIs. With Distil, you automatically block 99.9% of malicious traffic without impacting legitimate users. Distil Web Security defends websites against web scraping, competitive data mining, account takeovers, transaction fraud, unauthorized vulnerability scans, spam, man-in-the-middle attacks, digital ad fraud, and denial of service. Distil API Security protects public and partner-facing APIs against developer errors, integration bugs, automated scraping, and web and mobile hijacking. For more information on Distil Networks, visit us at or follow @DISTIL on Twitter.

Image Available:

Contact Information:

Media Contact
Lauren Hillman
Kulesa Faul for Distil Networks
P: 510-394-2145