The borg ate my login

The Bot Collective is coming for your login! While that might be a little hyperbolic and theatrical, the statement is also far closer to the truth than most organizations and individuals would like to believe. As we saw when conducting research for the latest Akamai State of the Internet / Security report, we found out that a large part of all login traffic is malicious and much of the bot traffic we see every day is either questionable or downright evil.  If you’re a hospitality site, the vast majority – 82 percent – of the logins you see are likely account takeover attempts! It’s important to understand how much of your traffic is related to bots and credential abuse in order to take the steps necessary to protect yourself.

The difficulty in dealing with bot traffic is that the majority of it is beneficial, or even necessary, for modern businesses. The term “bot” covers a large swath of automated tools connecting to sites. Spiders that tip toe through your site to enable search engines are absolutely necessary if you want your site to be found. However, the same spider can be crippling if your site is already running in the red, and the owner of the bot isn’t limiting their request rate. This highlights one of the biggest problems with bots; their usefulness is highly subjective for the target.

Spiders make up the largest part of bot traffic. While the majority of their impact is positive, once you start getting away from the search engines, things get murky. Other systems might be spidering your retail site, but are they partners using approved tools to download the latest price sheet, or a competitor looking to undercut your prices by a few cents? Airlines have long had to deal with this problem, with aggressive competitors occasionally taking down sites. I’ve even seen over-eager partners take down a business site when they tried to crawl the entire content of a site every hour on the hour. 

From there, the shading of bot activity goes from grey to black. A headless browser and impersonators, programs pretending to be a browser client to fool the server, might be any number of positive systems. But it’s more likely that they’re malicious systems trying to get information intended for a real person. This includes all the tools available to scrape ticketing and retail sites, looking for the best deal or trying to be the first to get a ticket to a hot concert. If you’re the user, you might think they are useful tools, but most sites find them annoying, if not downright bad for business. 

Which brings the conversation back to the worst of the bots, the credential abusers. Sometimes called account takeover bots, these are the bots that login to sites using lists of usernames and passwords easily found throughout the Internet. Basically, if you have an account with any site that’s been compromised, you have to assume your login and password exists in these files and is being checked against sites across the Internet. If you want to see for yourself, you can try Troy Hunt’s “have I been pwned” site.  My own email shows up in at least seven different breaches, for example.

Our own research shows that 43 percent of all login attempts we see are credential abuse bots. As mentioned at the beginning of the article, hospitality sites, primarily hotels and airlines, have four times as many credential abuse bots coming to their sites as they do legitimate users. In November alone, we saw over 1 billion account takeover attempts against retailers and almost as many against hotels and travel sites. Attackers are hitting the companies with large caches of credit card numbers. Organizations need to take these attacks against their front door seriously and constantly update their protections as the attackers change their tactics. 

What might be even more concerning for defenders is the attacks against their backdoor, the APIs meant for computer-to-computer communications. There’s a growing body of evidence that attackers are using many of the same tools they’ve developed for attacking user accounts to probe site APIs. This is a serious problem, because while many sites have some detection and defensive measures enabled for their user login pages, the same level of protections don’t exist for backend APIs. Furthermore, APIs often have wider access to the site than a single user’s account, making this type of compromise exceedingly damaging.

There is no ‘one size fits all’ solution for bots. The impact of different types of bots needs to be understood in relationship to each organization’s needs and appropriate steps taken, sometimes down to the level of a particular spider or crawler receiving special permissions or protections.  On the other hand, credential abusers can be dealt with at multiple levels, starting with fraud detection tools on the backend of the servers, local detection methods on the web server, on out to cloud-based systems that prevent the account takeover attempts from reaching the servers in the first place.