If you tuned in to watch Tom Brady and that big Sunday football game in early February, chances are you paid attention to the ads as much as the action. Mixed in with cars, tortilla chips and mortgages was a spot for Paramount +, a new streaming service hitting the market. Today, it seems like every few weeks, a new content provider launches an exclusive way to access entertainment. In the last year alone, we saw the introduction of Disney+, Peacock, HBO Max, and others.

This is good news for consumers who want exclusive access to content, good news for broadcasters who can charge a premium for access, and especially good news for hackers. Yep, hackers. Streaming services are an enticing target for cybercriminals who use malicious bots to grab your customer’s account information and then sell or even use it themselves to access other services.

So what’s their goal? Usernames and passwords, of course. We know that consumers are not fans of devising unique and hard-to-crack passwords, especially for a service that doesn’t hold a lot of personal data. According to research, 25% of people use passwords that are less secure because they are easier to remember. And 39% say that they use the same or similar passwords for many of their online accounts. A remarkable 41% of adults have shared the password to one of their online accounts with a friend or family member. This is especially common within the world of streaming services.

If consumers can’t be convinced to protect their accounts, how can streaming services protect them from being stolen and sold on the dark web?

 

How are bots targeting streaming services?

As more streaming services enter the marketplace, the probability of being targeted increases. Like a kid in a candy store, hackers infiltrate services and gain unauthorized access to account credentials through account takeover (ATO) attacks. They then either use the credentials themselves or sell it on the dark web for a profit where volume is the commodity. The more account information they steal, the more they can charge.

One ATO tactic is credential cracking. An account is worthless unless it can be accessed, so hackers spend considerable time and resources to determine the correct user ID and password combinations. Sometimes they have complete information – both username and password – making their job easy. Other times they only have partial information and must try many different mixes to break in.

Once a winning combination is found, cybercriminals use credential stuffing techniques and software to test it against other sites where individuals have reused username and password information. If sign-in credentials stolen from a streaming service match those used to log onto a bank account, for example, the hacker has access to even more identifying information as well as the ability to steal funds or credit card numbers.

Success rates for basic combination testing are typically low – unless the hackers are using bots. A bot can attempt multiple combinations in a fraction of a second. One recent attack at a single streaming service attempted approximately 300,000 unique username and password combinations in just over five hours. In this short amount of time, the hackers accurately harvested 1,500 combinations, a .0005% success rate. This amount of information has big pay out potential.

Fake account creation is another tactic where malicious bots target streaming services. In this case, bots create new accounts that are not linked to real users. Cybercriminals use this automated bot threat to commit fraud, including generating spam or abusing new account promotions, such as free subscription months or product discount offerings.

Getting a hold of fake account bots is not difficult. They are readily available on the Genesis Market, an invite-only deep web marketplace that is dedicated to the sale of bots. Genesis Market bots specialize in the large-scale infection of consumer devices to steal fingerprints, cookies, saved logins, and autofill form data. That data is then packaged up and put up for sale. Buyers are provided with a custom browser where the data is loaded, giving them the ability to browse the internet masquerading as a hapless victim. This allows attackers to remain undetected by traditional “client side” mechanisms. At any one-time, the Genesis Market has hundreds of thousands of bots readily available and easy to use. This represents millions of dollars of illegal transactions passing from criminal to criminal.

 

Preventing malicious bot attacks and protecting customers

Streaming services are potentially more vulnerable than other businesses because customers tend to use easier password combinations for logging on via televisions or iPads. As a result, these companies need to be vigilant in recognizing and blocking these attempts.

Many businesses feel that they don’t need protection because they practice re-authentication for accounts. Wrong. The use of stolen credentials in combination with device fingerprints can be enough to circumvent controls. Recently, Spotify suffered a second incident, a credential-stuffing attack where 100,000+ user accounts were compromised. If it happened to them, it could happen to you.

So, how can you protect your streaming service?

First, recognize the signs that your business could be under attack. An increased use in fraudulent customer disputes is one red flag. Another typical sign of ATO fraud is seeing hundreds of login attempts or mass quantities of password resets. Pay attention to user patterns, such as how long someone is spending on pages, how quickly they make requests, and if the navigation is that of a typical user on your website. Looking at whether content on the page loads completely also helps spot unusual patterns.

Second, invest in a bot detection solution designed to quickly identify abnormal user behavior. This type of software can spot fake account creation behavior and ATO activity. You’ll want to ensure that whatever solution you use, it protects all your assets, including your website, mobile app and APIs. It also should be able to identify and prioritize legitimate users and separate good from bad so that services remain undisrupted. You can then analyze the data and make informed decisions about your traffic.

Losses from ATO and fraud cost businesses across all industries billions of dollars per year. As cybercriminals see more streaming services hit the market, the opportunity to steal more accounts is enticing. Not taking action, however, can lead to severe financial losses and permanent reputational damage. In a competitive marketplace, the last thing you want to do is give consumers a reason to leave your service. Knowing how to protect your business from the inside out will help customers stay for the long haul and have confidence in the security of your service.