Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Your streaming service is fertile ground for bot attacks

By Andy Still
streaming services
March 23, 2021

If you tuned in to watch Tom Brady and that big Sunday football game in early February, chances are you paid attention to the ads as much as the action. Mixed in with cars, tortilla chips and mortgages was a spot for Paramount +, a new streaming service hitting the market. Today, it seems like every few weeks, a new content provider launches an exclusive way to access entertainment. In the last year alone, we saw the introduction of Disney+, Peacock, HBO Max, and others.

This is good news for consumers who want exclusive access to content, good news for broadcasters who can charge a premium for access, and especially good news for hackers. Yep, hackers. Streaming services are an enticing target for cybercriminals who use malicious bots to grab your customer’s account information and then sell or even use it themselves to access other services.

So what’s their goal? Usernames and passwords, of course. We know that consumers are not fans of devising unique and hard-to-crack passwords, especially for a service that doesn’t hold a lot of personal data. According to research, 25% of people use passwords that are less secure because they are easier to remember. And 39% say that they use the same or similar passwords for many of their online accounts. A remarkable 41% of adults have shared the password to one of their online accounts with a friend or family member. This is especially common within the world of streaming services.

If consumers can’t be convinced to protect their accounts, how can streaming services protect them from being stolen and sold on the dark web?

 

How are bots targeting streaming services?

As more streaming services enter the marketplace, the probability of being targeted increases. Like a kid in a candy store, hackers infiltrate services and gain unauthorized access to account credentials through account takeover (ATO) attacks. They then either use the credentials themselves or sell it on the dark web for a profit where volume is the commodity. The more account information they steal, the more they can charge.

One ATO tactic is credential cracking. An account is worthless unless it can be accessed, so hackers spend considerable time and resources to determine the correct user ID and password combinations. Sometimes they have complete information – both username and password – making their job easy. Other times they only have partial information and must try many different mixes to break in.

Once a winning combination is found, cybercriminals use credential stuffing techniques and software to test it against other sites where individuals have reused username and password information. If sign-in credentials stolen from a streaming service match those used to log onto a bank account, for example, the hacker has access to even more identifying information as well as the ability to steal funds or credit card numbers.

Success rates for basic combination testing are typically low – unless the hackers are using bots. A bot can attempt multiple combinations in a fraction of a second. One recent attack at a single streaming service attempted approximately 300,000 unique username and password combinations in just over five hours. In this short amount of time, the hackers accurately harvested 1,500 combinations, a .0005% success rate. This amount of information has big pay out potential.

Fake account creation is another tactic where malicious bots target streaming services. In this case, bots create new accounts that are not linked to real users. Cybercriminals use this automated bot threat to commit fraud, including generating spam or abusing new account promotions, such as free subscription months or product discount offerings.

Getting a hold of fake account bots is not difficult. They are readily available on the Genesis Market, an invite-only deep web marketplace that is dedicated to the sale of bots. Genesis Market bots specialize in the large-scale infection of consumer devices to steal fingerprints, cookies, saved logins, and autofill form data. That data is then packaged up and put up for sale. Buyers are provided with a custom browser where the data is loaded, giving them the ability to browse the internet masquerading as a hapless victim. This allows attackers to remain undetected by traditional “client side” mechanisms. At any one-time, the Genesis Market has hundreds of thousands of bots readily available and easy to use. This represents millions of dollars of illegal transactions passing from criminal to criminal.

 

Preventing malicious bot attacks and protecting customers

Streaming services are potentially more vulnerable than other businesses because customers tend to use easier password combinations for logging on via televisions or iPads. As a result, these companies need to be vigilant in recognizing and blocking these attempts.

Many businesses feel that they don’t need protection because they practice re-authentication for accounts. Wrong. The use of stolen credentials in combination with device fingerprints can be enough to circumvent controls. Recently, Spotify suffered a second incident, a credential-stuffing attack where 100,000+ user accounts were compromised. If it happened to them, it could happen to you.

So, how can you protect your streaming service?

First, recognize the signs that your business could be under attack. An increased use in fraudulent customer disputes is one red flag. Another typical sign of ATO fraud is seeing hundreds of login attempts or mass quantities of password resets. Pay attention to user patterns, such as how long someone is spending on pages, how quickly they make requests, and if the navigation is that of a typical user on your website. Looking at whether content on the page loads completely also helps spot unusual patterns.

Second, invest in a bot detection solution designed to quickly identify abnormal user behavior. This type of software can spot fake account creation behavior and ATO activity. You’ll want to ensure that whatever solution you use, it protects all your assets, including your website, mobile app and APIs. It also should be able to identify and prioritize legitimate users and separate good from bad so that services remain undisrupted. You can then analyze the data and make informed decisions about your traffic.

Losses from ATO and fraud cost businesses across all industries billions of dollars per year. As cybercriminals see more streaming services hit the market, the opportunity to steal more accounts is enticing. Not taking action, however, can lead to severe financial losses and permanent reputational damage. In a competitive marketplace, the last thing you want to do is give consumers a reason to leave your service. Knowing how to protect your business from the inside out will help customers stay for the long haul and have confidence in the security of your service.

KEYWORDS: cyber security hackers risk management streaming video

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Andy stillcto netacea

Andy Still is the CTO & Co-Founder at Netacea and a pioneer of digital performance for online systems. As Chief Technology Officer, he leads the technical direction for Netacea’s products, as well as providing consultancy and thought leadership to clients. Andy has authored several books on computing and web performance, application development and non-human web traffic.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • digitalshadows

    Introducing Nulledflix - a video streaming service created exclusively for a cybercriminal forum

    See More
  • install_enews

    Is Your Security Service Strategy Hurting Your Business?

    See More
  • cloud security freepik

    CASB, CWPP, CSPM, and CNAPP: Which one is right for securing your cloud environment?

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • Photonic-Sensing.gif

    Photonic Sensing: Principles and Applications for Safety and Security Monitoring

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing