The Bot Collective is coming for your login! While that might be a little hyperbolic and theatrical, the statement is also far closer to the truth than most organizations and individuals would like to believe. As we saw when conducting research for the latest Akamai State of the Internet \/ Security report, we found out that a large part of all login traffic is malicious and much of the bot traffic we see every day is either questionable or downright evil.\u00a0 If you\u2019re a hospitality site, the vast majority \u2013 82 percent \u2013 of the logins you see are likely account takeover attempts! It\u2019s important to understand how much of your traffic is related to bots and credential abuse in order to take the steps necessary to protect yourself.The difficulty in dealing with bot traffic is that the majority of it is beneficial, or even necessary, for modern businesses. The term \u201cbot\u201d covers a large swath of automated tools connecting to sites. Spiders that tip toe through your site to enable search engines are absolutely necessary if you want your site to be found. However, the same spider can be crippling if your site is already running in the red, and the owner of the bot isn\u2019t limiting their request rate. This highlights one of the biggest problems with bots; their usefulness is highly subjective for the target.Spiders make up the largest part of bot traffic. While the majority of their impact is positive, once you start getting away from the search engines, things get murky. Other systems might be spidering your retail site, but are they partners using approved tools to download the latest price sheet, or a competitor looking to undercut your prices by a few cents? Airlines have long had to deal with this problem, with aggressive competitors occasionally taking down sites. I\u2019ve even seen over-eager partners take down a business site when they tried to crawl the entire content of a site every hour on the hour.\u00a0From there, the shading of bot activity goes from grey to black. A headless browser and impersonators, programs pretending to be a browser client to fool the server, might be any number of positive systems. But it\u2019s more likely that they\u2019re malicious systems trying to get information intended for a real person. This includes all the tools available to scrape ticketing and retail sites, looking for the best deal or trying to be the first to get a ticket to a hot concert. If you\u2019re the user, you might think they are useful tools, but most sites find them annoying, if not downright bad for business.\u00a0Which brings the conversation back to the worst of the bots, the credential abusers. Sometimes called account takeover bots, these are the bots that login to sites using lists of usernames and passwords easily found throughout the Internet. Basically, if you have an account with any site that\u2019s been compromised, you have to assume your login and password exists in these files and is being checked against sites across the Internet. If you want to see for yourself, you can try Troy Hunt\u2019s \u201chave I been pwned\u201d site.\u00a0 My own email shows up in at least seven different breaches, for example.Our own research shows that 43 percent of all login attempts we see are credential abuse bots. As mentioned at the beginning of the article, hospitality sites, primarily hotels and airlines, have four times as many credential abuse bots coming to their sites as they do legitimate users. In November alone, we saw over 1 billion account takeover attempts against retailers and almost as many against hotels and travel sites. Attackers are hitting the companies with large caches of credit card numbers. Organizations need to take these attacks against their front door seriously and constantly update their protections as the attackers change their tactics.\u00a0What might be even more concerning for defenders is the attacks against their backdoor, the APIs meant for computer-to-computer communications. There\u2019s a growing body of evidence that attackers are using many of the same tools they\u2019ve developed for attacking user accounts to probe site APIs. This is a serious problem, because while many sites have some detection and defensive measures enabled for their user login pages, the same level of protections don\u2019t exist for backend APIs. Furthermore, APIs often have wider access to the site than a single user\u2019s account, making this type of compromise exceedingly damaging.There is no \u2018one size fits all\u2019 solution for bots. The impact of different types of bots needs to be understood in relationship to each organization\u2019s needs and appropriate steps taken, sometimes down to the level of a particular spider or crawler receiving special permissions or protections.\u00a0 On the other hand, credential abusers can be dealt with at multiple levels, starting with fraud detection tools on the backend of the servers, local detection methods on the web server, on out to cloud-based systems that prevent the account takeover attempts from reaching the servers in the first place.