A recent report from Akamai has found that the publishing industry accounts for “63% of AI bot triggers,” which is likely tied to “extensive content scraping,” for training AI bots.

The Akamai report concludes that “the rise of AI bots poses an existential threat to web-based business models. Organizations face plummeting traffic and ad revenue while their analytics become polluted with bot activity from agentic assistants that mimic human behaviour, but generate zero value.”

According to the research, AI tools have “enabled the automation of phishing, social engineering, and identity fraud campaigns, increasing both the scale and speed of attacks while minimizing the human errors that typically trigger detection… [AI has] lowered the barriers to entry for cybercriminals and facilitated the execution of diverse online fraud schemes.” 

As well as news, broadcast and publishing companies, the report identifies other industries affected by AI bots. Commerce has the most AI bot activity of any industry, reaching more than 25 billion bot requests during Akamai’s two-month observation period.

“Online businesses are experiencing side effects from bots. It could be from helpful bots like search engines and monitoring bots that help with accessibility tools, or harmful bots such as FraudGPT, WormGPT, ad fraud traffic, and return fraud bots that lead to increased expenses, site performance degradation, and key metrics pollution,” said the report.

Heathcare is another business sector significantly affected by bots that scrape health information for AI answers. “More than 90% of the AI bot triggers within the healthcare industry are attributed to scraping activities, mainly from search and training bots.”

Bots have been around for a long time, some are helpful and some are harmful.

• Helpful AI bots include: Search engines, monitoring and accessibility tools
• Harmful AI bots include: Account takeover, fraud, distributed denial of service (DDoS), content theft

According to the World Federation of Advertisers,  ad fraud is likely to exceed more than US$50B globally by this year. Ad fraud traffic bots can mimic human browsing and engagement behaviour online with the goal of manipulating digital advertising systems. Publishers are urged to learn how to react to the new forms of bot activity.

Akamai is an American computer security and cloud provider company. The full report is available here

Earlier this year, at IBC, Steve Ahern explored the constantly evolving need for cyber security protection with Acamai’s Chief Operating Officer and General Manager, Cloud Technology Group, Adam Karon.

Edited transcript:

ADAM:
Akamai started in the content delivery business and still the heart of our business is delivering large media streaming, ] downloads and websites.

Back in the 2010, we pivoted very hard into the cybersecurity world. Today, about half of Akamai’s revenue is cybersecurity, made up of things like DDoS, WAF, API security, micro-segmentation, Layer 3 and Layer 7, DDoS protection.  We have a broad spectrum of security services.

In 2021, we entered the cloud computing market and we launched a new cloud computing service providing a continuum of computing solutions. It’s one of our fastest growing solutions today that has core computing, full stack cloud computing from the core all the way out to our edge, offering solutions that then integrate across those security and delivery components that we have on our network.

STEVE:
I heard that your cloud network is quite distributed across the world, which has some advantages compared to the big providers who might just have a few huge data centres.

ADAM:
Yeah, always being as close to the end user is in our DNA. We want to be as close to every end user providing lowest latency, best performance, and of course, real-time answers to queries from end customers. Whether it be your AI agent that you need to get fast response from, or whether it be intercepting an attacker coming from a local computer trying to get out to somebody’s core site, we want to catch them right at the edge and attack and make sure we block it there.

STEVE:
You work with some radio broadcasters. Tell me about the services you provide for them.

ADAM:
Radio has been part of what we’ve been providing since I joined Akamai back in 2005. Some of the major radio broadcasters all over the world, media content providers, have an audio solution like a radio station, but they also provide video. So we’ll provide video, audio security for those companies. They need to protect the streams that they’re offering with tokenization, piracy protection.

We provide all those things, VPN protection, making sure that we can protect the stream, the audio or video if they have that in the geography that they want to keep it in.

In places like Europe where GDPR becomes an issue, not only protecting the stream, audio or video, but also protecting the data and keeping it localized to the country or geography or locality that they need it to be in. Some folks want it on-prem, and they have very specific encryption requirements, they want to keep it on-prem. Some want to store it in our cloud, which is why we have the geography protection data that we can provide them inside their geography. Some may have another provider, we partner with [the other providers] and make sure they can get the data where they want it to go.

STEVE:
You also work with music streaming services?

ADAM:
We work with almost all the major brands of music streaming services globally, yeah.

STEVE:
Let’s delve into security a bit deeper. The old security attacks against straight websites were denial of service attacks, but I’m sure it’s more complicated now.

ADAM:
Yeah, back in the beginning where Akamai started, Akamai’s core network came by default with an amount of  DDoS protection, Layer 7 DDoS protection, the application layer protection. We did that forever because we had to protect our own network. We were a destination for attacks for many, many years before it became the cool thing to talk about. But when Anonymous started to attack many of the financial institutions, we started to offer our internal DDoS protection as an external service. That’s really where things started for Optimize.

We then acquired a company called Prolexic, which provided best-in-class Layer 3 DDoS protection. So now we were able to offer Layer 7 application layer and Layer 3 DDoS protection as well. We still offer that as a core of what we provide. But definitely things went from there in terms of offering cloud-provided WAF solutions. We have one of the world’s leading WAF cloud solutions that anybody can offer.

We’ve seen that traffic on the internet has migrated to APIs. Most companies have hundreds, if not thousands of APIs that, while we can protect them from a generic WAF attack, we added API layer protection for them so we can actually inspect the API requests and find things that are out of whack with those. In addition, bot protection [because] bots are also doing fraudulent activities. If you’ve got DDoS protection, got cloud WAF, now you’ve got api WAF, in essence api protection, so you’re providing bot protection from fraudulent scraping or fraudulent account access. Then separate from that, we added on things that can get behind the firewall, things like micro-segmentation, to protect the infrastructure from things like ransomware, which are another vector for attacks.

STEVE:
Explain micro-segmentation for me. I think that’s a particularly important area for broadcasters to think about, because we’re constantly under attack, often from bad actors who don’t like what may be broadcast. They’re trying to get in all sorts of ways, either to plant fake news stories if they can, or at the minimum, just get inside the system and disrupt it from the inside.

ADAM:
Yeah, micro-segmentation. The easy way to think about it is think about a big boat, a ship. Inside the ship, what they build underneath in case the ship gets punctured, the external part of the ship has segments underneath. So if one part of the ship gets punctured, that little area gets filled up, but the rest of the ship stays dry internally so it doesn’t sink.

Micro-segmentation is basically that. It’s segmenting your network into separate components. This has existed for a long time, network segmentation, but it really required a network engineer to manually segment the network. Akamai offers software layer network segmentation that breaks the network off into pieces, so if a state actor were to get in, they’d only get into that small portion of endpoints. Your network is segmented and so it couldn’t spread to your organization.

You can’t always keep everybody out, but the idea is let’s protect the network. If somebody gets in through the perimeter the area they can spread out to is very, very small. That’s what a micro segmentation does for a company, it makes sure that when they get in, they will not spread.

STEVE:
And if hackers do get in, how do you know? Do you have constant monitoring?

ADAM:
Constant monitoring, constant views. We have agents that run on software-based agents that run across the network that monitor for anomalies and make sure that if somebody does get in, clamp down the network and then get help for remediation as well.

*WAF cloud solutions (Web Application Firewalls) are cloud-based web application firewalls that protect web applications by filtering malicious traffic like SQL injection and cross-site scripting (XSS) before it reaches the application.

Reporting: Steve Ahern.