credential stuffing

Good Bot, Bad Bot: Not all bots are created equal

By Amol Mathur, Director, Product Management and Strategy, Security, Asia Pacific and Japan, Akamai Technologies

Credential stuffing is when hackers / fraudsters, get access to a database of leaked username and passwords and test those credentials across multiple other sites to check where else can those credentials work due to reuse.

Using the same username and password across multiple personal and professional online applications is quite common. For instance, if the same usernames and passwords (credentials) from the recent data breach in Malaysia, where more than 46 million mobile subscribers’ customer data was leaked on to the dark web, are re-used on other sites, it is easy for hackers to use bots to validate the usernames and passwords on other sites.

The validated credentials are then used to perform fraudulent activities, which is known as Account Takeover.

The end goal is to take over the accounts and to carry out fraudulent activities, such as making fraudulent purchases, financial transactions or stealing additional confidential data.  A compromised account is 17x more valuable than a stolen credit card number[1]. Depending on the account and what value it has, the attacker may attempt to cash out value from reward programs and gift cards.

Akamai views this as a new class of threat, that traditional security solutions are not designed to deal with, and recognise that to detect this new category of threats, the ability to detect highly sophisticated Bots is key.


In a recent Ponemon report “The Cost of Credential Stuffing, Oct 2017”, over 80% of survey respondent stated that it is difficult to differentiate between “real” employees and customers from criminal imposters using stolen credentials.  Credential Stuffing attacks are hard to detect and remediate.

When organizations detect fraudulent activity targeting user accounts or such activity is reported by the end users, most times it can be traced back to Credential Stuffing and Account Takeover. Some organisations set account lockout policies due to multiple invalid login attempts. Credential Stuffing attempts can lead to large scale lockout of end-user accounts which can cause poor customer experience and a surge in calls to the help desk, which is another way organizations detect credential stuffing activities. Both these scenarios are detection of malicious activity which happens after the fact, when the business and IT impact has already happened.

Using Akamai’s Bot Manager Premier solution, organizations can detect and mitigate credential stuffing campaigns before they reach their origin.

Akamai versus credential stuffing

 Bot Manager provides a flexible framework to help you better manage interactions with these other online entities. Identify, categorize, and take the appropriate action on different types of bots, based on their business and IT impacts. Report on and analyze the behavior of individual or different categories of bots. Bot Manager can help you get more from your website, increase online revenue, shift your competitive dynamics, reduce the incidence of fraud, and better engage with your customers.

The solution is able to detect highly distributed and sophisticated bots, by collecting and analysing telemetry data using machine learning to detect if its represents human behaviour or not.

Data is collected from input devices including key presses, mouse movement and path, button clicks, touch screen presses swipes, gyroscope and accelerometer readings. The analysis engine is implemented with machine learning algorithms that have processed billions of requests, enabling the very highly accurate detections of bots involved in malicious activities, including credential stuffing

An Akamai ecommerce customer quantified that they have saved over USD$20 million annually from the deployment of this solution.

Bots – bane of the Internet?

Bots are often associated solely with Distributed Denial of Service (DDoS) attacks, but bots are simply software programs. The best known examples good bots, would be the bots from search engines such as Google and Yahoo, which makes the modern Internet possible.

Bots are programs that operate as an agent for a user or another program, or simulate human activity.

There are 2 main types of bots, good bots that play a legitimate role in an organisation’s online business strategy or operations, while bad bots scrape websites for content or pricing for competitors, harm businesses by launching DDoS attacks, or are programmed to carry out malicious activities.

Up to 60-percent of an organisation’s web traffic could be generated by bots, and excessive malicious bot traffic may result in significantly higher investments to expand the capacity of the web servers, bandwidth and other network infrastructure costs, without any corresponding gain in revenue.

Companies need to adopt a more comprehensive strategy when dealing with bots. Especially strategies that helps users to better identify and understand what types of bot traffic are hitting their sites, and by providing remediation capabilities beyond simple blocking.

Flexible and nimble mitigation responses provide customers with a range of options, including automated rules that apply actions based on time of day, URL accessed or based on traffic levels. Additional responses include redirection of bots to alternate content or websites, serve content from cache to offload the web server, alert on requests from known bots for further analysis, integration into a SIEM or to trigger an incident response investigation.

Akamai’s Bot Premier provide visibility into the traffic composition to customer websites, accurate detection and categorisation of bots and a wide range of mitigation actions, to provide customer with a complete framework for Bot management.


There are no comments

Add yours