Automated attack trends were analyzed by HUMAN Security. The report analyzed methods such as account takeover, brute forcing, carding, credential stuffing, inventory hoarding, scalping and web scraping.

Bad bot traffic overall increased even as people spent less time online. Legitimate human traffic dropped 28% year-over-year, but bad bot traffic increased 102% — meaning that the percentage of bad bots out of overall traffic has increased even faster. Web applications experienced an increase in three common types of bot attacks. Carding attacks rose 134%, account takeover attacks rose 108% and scraping rose 107%.

Bad bots accounted for 57% of traffic to online businesses in the media and streaming industry. Just under 50% of traffic to companies in the travel and hospitality industry (49%) and the ticketing and entertainment industry (46%) was automated. The holiday shopping season drew more automated attacks than the rest of the year; the peak day (October 25) saw 199% more bad bot traffic than the yearly average.

Twenty-six percent of malicious requests appeared to come from mobile, as compared to 61% of legitimate requests and more than 68% of worldwide malicious traffic came from U.S. proxy servers. That number drops to 47% when looking only at traffic to non-U.S. applications, and grows to 75% for traffic to U.S. applications only.