Websites give your business an unprecedented — and invaluable — level of contact with your customers. However, they also place sensitive data where it can be easily accessed with malicious intent, through the use of automated tools called bots.
Leading web security research finds bot traffic can represent up to 60% of overall web traffic, but only 28% of all bot traffic is declared.1 This includes both good bots engaging in essential business tasks, such as search engine indexers, and bad bots performing harmful activities, such as price and content scraping. One of the most harmful and costly activities these malicious bots engage in is credential stuffing, which can affect any organization with a login page on its website.
But how do you distinguish between good bots and bad bots? How do you keep your visitors’ credentials safe while still promoting the success of your site? The first step is to better understand how and why bad bots increase threats posed by malicious actors.
Following a data breach, hackers may purchase or obtain lists of stolen user credentials and load those credentials onto a botnet. Armed with leaked credentials, these bots can carry out high-volume login attempt attacks against businesses in nearly every industry. In fact, these malicious bots can execute hundreds of thousands of login attempts by using the “many to many” strategy. Meaning – they use multiple attacking resources targeting many web applications at the same time.
Current online security solutions are unable to detect malicious bots because they make distributed attacks over a period of time, so they appear to be legitimate. Plus, hackers now have the tools to evade detection by cross-targeting destinations, harvesting user tokens, and mimicking a normal user’s behavior. Not to mention a large portion of attacks target mobile APIs, which lack the same level of security as other web applications.
Once a hacker sets an algorithm, they can use bots to easily target hundreds of thousands of IP addresses day in and day out—for weeks—until they achieve their goal of credential stuffing. This attack method is often successful since many users employ the same credentials at multiple websites, so a percentage of these attempts will result in a successful login.
Malicious actors record the credentials that result in successful logins for each targeted website, so they can then execute devastating account takeovers. Today’s sophisticated bad bots can randomize IP addresses, headers, and user agents, making them even harder to protect against.
Learn more about credential stuffing and how you can protect your business.See How