News, Education and Events Decoding Digital Payments & Fraud

News, Education and Events Decoding Digital Payments & Fraud

No Ifs, Ands or Bots: How Bad Bots are Supercharging Account Takeover Fraud

No Ifs, Ands or Bots: How Bad Bots are Supercharging Account Takeover Fraud

The role bots play in online fraud has expanded significantly during the past year. One study1 called 2017 the “year bad bots went mainstream.” In and of themselves, however, bots are neither good nor bad. They are simply tools their operators use to automate repetitive tasks on the Internet. But, several of those repetitive tasks enable some very pernicious fraud types and, once programmed, the bots are exceptionally easy to operate. Merchants in the last year—especially those in travel, online gambling and some retail sectors—have seen how bad bots can significantly contribute to credential stuffing, resulting in account takeover fraud.

Why have bots become part of the story of e-commerce fraud? It begins with the thousands of data breaches that have compromised the payment and/or personal information of billions of consumers worldwide. Hackers have made oceans of stolen information available for sale to anyone with the inclination and moral flexibility to take advantage of it. There is so much information yielded in breaches, however, that a means to winnow it down to the most valuable pieces became necessary.

Just a Link in the Fraud Value Chain

As perpetrating fraud has become more lucrative, it has taken on many of the characteristics of legitimate business, including industrialization and specialization. Hackers no longer steal information and use it to commit fraud themselves. They don’t even sell it to the end users. Many links in a fraud value chain have been forged to process the raw data into a form that can be more easily leveraged for monetization—each link taking its financial cut. In one of those links, bots have become the tool of choice that criminals use to wring every dollar they can from the data.

The number of data records stolen in a breach can range from tens or hundreds of thousands to hundreds of millions or even billions. Increasingly, the most targeted records are not payment card accounts, they are email addresses and passwords that can be used to access the online accounts of unsuspecting consumers. And, because people reuse username/password combinations across many different accounts, one stolen login could give a criminal access to more than one account.

Given the massive amount of information contained in an average hack, going through it manually to validate useable credentials would not be feasible. Enter bots. The recipient of bulk data wants to validate the username/password combinations on as many sites as possible. So they load up specially programmed bots (created by still other members of the fraud value chain—another specialty) with the thousands or millions of stolen credentials they purchased on the Dark Web and attack sites around the Internet.

The bots then engage in credential stuffing—automatically testing those credentials to see which accounts they can successfully log into. The credential stuffer then sells the smaller list of valid account credentials (either individually or in chunks) for much more than they paid for the original bulk list.

Quantifying the Bad Bot Problem

Using bots to validate stolen credentials—a necessary precondition for account takeover fraud at scale—has become an important marker and attack type that companies must find a way to identify. In November of 2017, there were 8.3 billion login attempts on sites using Internet content delivery network provider Akamai’s platform. Of these, an analysis by the company2 determined that 3.6 billion were malicious—the vast majority of which were generated automatically by bots testing credentials.

“In other words,” the report said, “43 percent of all logins seen by Akamai were attempts to log in to an account using password guessing or account details gathered from elsewhere on the Internet.”

Certain types of companies are especially likely to be targeted by bots with malicious aims. Of the top six industries that experience the highest percentage of bad bot traffic on their websites, four are in the business of providing products or services that require at least some level of digital delivery, according to another recent report.3

Traffic generated by bad bots accounts for more than 53 percent of all visits to online gambling sites, more than any other merchant vertical, the report said. Airlines, ranked second at 44 percent, and ticketing sites (fifth at 23 percent) bracket financial sites and healthcare as the industries with the most bad bot activity as a share of total traffic. E-commerce retail ranked just behind ticketing, with more than 21 percent of activity on those sites originating from bad bots.

Bad bot activity is not restricted to credential stuffing (e.g., gambling, airline, ticketing and e-commerce all experience price scraping by competitors via bots), but it is a significant activity and leads directly to account takeovers.

The Great ATO Conflagration

If the proliferation of online accounts—meant to benefit customers by reducing friction at checkout—is the fire pit, and the information stolen in data breaches is the wood, then automating the process of testing large numbers of credentials across thousands of websites is the lighter fluid that has turned account takeover fraud from a campfire to a wildfire.

According to one analysis, account takeover attacks in the fourth quarter of 2017 were 182 percent higher than they were during the same period a year earlier.4

For digital delivery merchants, the ramifications are clear. When fraudsters take over accounts they can drain them of any stored value (cash winnings, loyalty points, airline miles, gift card balances, etc.), or they can make purchases using the card on file required to establish the account and sell those goods for profit.

Bots have had a significant impact on making account takeover fraud available to the masses. Fraudsters no longer need the specialized knowledge of hackers and coders. They just need valid login credentials and the willingness to use them to steal. Both the information and the individuals are in plentiful supply, thanks to bots.


Account takeover fraud, like all fraud targeting online merchants, is becoming more sophisticated and difficult to detect. The bad bot attacks enabling ATO are an example of fraudsters raising the bar and they require a response.

For high-risk, digital-delivery merchant verticals like gambling and airlines suffering from account takeover fraud, initiating an organizational dialogue about bots is vital.  Solutions designed to identify and manage malicious Web traffic generated by bots are an increasingly important part of defending businesses against ATO and can be employed as part of a layered defense against fraud.

  1. 2018 Bad Bot Report: The Year Bad Bots Went Mainstream, Distil Networks
  2. Q4 2017 Akamai State of the Internet Report, Akamai Technologies
  3. 2018 Bad Bot Report: The Year Bad Bots Went Mainstream, Distil Networks
  4. Q4 2017 Cybercrime Report, ThreatMetrix

Read The Next CNP Report Article